GHSA-rm76-4mrf-v9r8: vLLM uses Python 3.12 built-in hash() which leads to predictable hash collisions in prefix cache

GHSA-c7w4-9wv8-7x7c: WhoDB allows parameter injection in DB connection URIs leading to local file inclusion

GHSA-9r4c-jwx3-3j76: WhoDB has a path traversal opening Sqlite3 database

GHSA-2hjh-495w-hmxc: Sylius allows unrestricted brute-force attacks on user accounts

GHSA-j82m-pc2v-2484: Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

**python-jose denial of service via compressed JWT tokens**

Moderate severity GitHub Reviewed Published Apr 26, 2024 to the GitHub Advisory Database • Updated Apr 26, 2024

Headline

GHSA-cjwg-qfpm-7377: python-jose denial of service via compressed JWT tokens

ghsa: Latest News