Pyjwt_project Pyjwt
7 CVEs affecting Pyjwt_project Pyjwt. Latest disclosed: 2026-05-28. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-32597 | High | 7.5 | 2026-03-13 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11… |
CVE-2017-11424 | High | 7.5 | 2017-08-24 | In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 P… |
CVE-2026-48526 | High | 7.4 | 2026-05-28 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC a… |
CVE-2026-48523 | Medium | 5.4 | 2026-05-28 | PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_… |
CVE-2026-48525 | Medium | 5.3 | 2026-05-28 | PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false… |
CVE-2026-48522 | Medium | 4.2 | 2026-05-28 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python… |
CVE-2026-48524 | Low | 3.7 | 2026-05-28 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every J… |