Launch Week Day 1: Announcing Security Design Review
Start for Free
pypi

pyjwt

View on pypi registry
18 Total advisories
18 Vulnerabilities
0 Malware

Vulnerabilities

MEDIUM 4.2
PyPI

CVE-2026-48522

PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes
MEDIUM 5.4
PyPI

CVE-2026-48523

PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
HIGH 7.4
PyPI

CVE-2026-48526

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed
MEDIUM 5.3
PyPI

CVE-2026-48525

PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
LOW 3.7
PyPI

CVE-2026-48524

PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
HIGH 7.5
PyPI

CVE-2026-32597

PyJWT accepts unknown `crit` header extensions
HIGH 7.4
PyPI

CVE-2026-48526

CVE-2026-48526
MEDIUM 5.3
PyPI

CVE-2026-48525

CVE-2026-48525
LOW 3.7
PyPI

CVE-2026-48524

CVE-2026-48524
MEDIUM 5.4
PyPI

CVE-2026-48523

CVE-2026-48523
MEDIUM 4.2
PyPI

CVE-2026-48522

CVE-2026-48522
HIGH 7.0
PyPI

CVE-2025-45768

CVE-2025-45768
HIGH 7.5
PyPI

CVE-2026-32597

CVE-2026-32597
LOW 2.2
PyPI

CVE-2024-53861

PyJWT Issuer field partial matches allowed
HIGH 7.5
PyPI

CVE-2017-11424

PyJWT vulnerable to key confusion attacks
HIGH 7.4
PyPI

CVE-2022-29217

Key confusion through non-blocklisted public key formats
UNKNOWN
PyPI

CVE-2022-29217

CVE-2022-29217
UNKNOWN
PyPI

CVE-2017-11424

CVE-2017-11424

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes