VYPR
Vendor

Authlib

Products
2
CVEs
20
Across products
20
Status
Private

Products

2

Recent CVEs

20
  • CVE-2026-33079HigMay 6, 2026
    risk 0.50cvss epss 0.00

    In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles…

  • CVE-2026-44681MedMay 27, 2026
    risk 0.33cvss 6.1epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an…

  • CVE-2026-44898MedMay 26, 2026
    risk 0.33cvss 6.1epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#") and the text value (used as the visible link label) are inserted…

  • CVE-2026-44897MedMay 26, 2026
    risk 0.33cvss 6.1epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation…

  • CVE-2026-44896MedMay 26, 2026
    risk 0.33cvss 6.1epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and…

  • CVE-2026-44708MedMay 26, 2026
    risk 0.33cvss 6.1epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even…

  • CVE-2026-41425MedApr 24, 2026
    risk 0.28cvss 5.4epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

  • CVE-2026-44899MedMay 26, 2026
    risk 0.24cvss 4.7epss 0.00

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a plain integer,…

  • CVE-2026-48990Jun 17, 2026
    risk 0.00cvss epss 0.00

    joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead…

  • CVE-2026-41479Jun 8, 2026
    risk 0.00cvss epss 0.00

    ### Summary Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any…

  • CVE-2026-33441May 6, 2026
    risk 0.00cvss epss

    Rejected reason: This CVE is a duplicate of another CVE: CVE-2026-33079.

  • CVE-2026-28498Mar 16, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash…

  • CVE-2026-28490Mar 16, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management…

  • CVE-2026-27962Mar 16, 2026
    risk 0.00cvss epss 0.01

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When…

  • CVE-2026-28802Mar 6, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to…

  • CVE-2025-68158Jan 8, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an…

  • CVE-2025-62706Oct 22, 2025
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who…

  • CVE-2025-61920Oct 10, 2025
    risk 0.00cvss epss 0.01

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans…

  • CVE-2025-59420Sep 22, 2025
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a…

  • CVE-2024-37568Jun 9, 2024
    risk 0.00cvss epss 0.00

    lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)