These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-48526 is a HIGH severity vulnerability (CVSS 7.4) in PyJWT, a widely-used JSON Web Token implementation for Python. The flaw exists in versions prior to 2.13.0 and stems from improper validation when the library supports both asymmetric (public-key) and HMAC (symmetric) algorithms. Specifically, when decoding JWTs, PyJWT fails to validate the use of JSON Web Keys (JWK) in HMAC algorithm contexts. [truncated]
A denial-of-service vulnerability exists in PyJWT versions 2.8.0 through 2.12.1 when processing detached JSON Web Signature (JWS) tokens with the unencoded-payload option (RFC 7797). The library unnecessarily decodes a Base64URL payload segment from the compact serialization before validating the signature and applying detached-payload rules. This allows unauthenticated remote attackers to force excessive [truncated]
PyJWT versions prior to 2.13.0 contain a denial-of-service vulnerability in the `PyJWKClient.get_signing_key()` method. The method issues a fresh HTTP request to the configured JWKS endpoint whenever it encounters a JWT with an unknown `kid` (key ID) value. Because the `kid` is extracted from the unverified token header, an attacker can craft tokens with arbitrary `kid` values to trigger repeated outbound [truncated]
A verifier-side algorithm allow-list bypass exists in PyJWT versions 2.9.0 through 2.12.1. When `jwt.decode()` or `jwt.decode_complete()` is called with a PyJWK key, the token header's `alg` parameter is validated against the caller-supplied algorithms allow-list, but signature verification is performed using the algorithm bound to the PyJWK object rather than the header algorithm. An attacker who control [truncated]
PyJWT's PyJWKClient prior to version 2.13.0 accepts arbitrary URI schemes through its uri parameter, which is passed directly to urllib.request.urlopen(). This allows attacker-influenced URLs to trigger unintended protocol handlers including file://, ftp://, and data:// schemes. The vulnerability creates Server-Side Request Forgery (SSRF) conditions where an attacker can read arbitrary local files or caus [truncated]