CRITICAL9.8CVE-2026-28802Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification from 0
CRITICAL9.1CVE-2026-27962Authlib JWS JWK Header Injection: Signature Verification Bypass from 0, < 0.15.4-1+deb11u2
HIGH7.5CVE-2026-28498Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding from 0, < 0.15.4-1+deb11u2
HIGH7.5CVE-2025-61920Authlib is vulnerable to Denial of Service via Oversized JOSE Segments from 0, < 0.15.4-1+deb11u1
HIGH7.5CVE-2025-59420Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) from 0, < 0.15.4-1+deb11u1
HIGH7.4CVE-2024-37568Authlib has algorithm confusion with asymmetric public keys from 0, < 0.15.4-1+deb11u1
HIGH7.4CVE-2024-37568Authlib has algorithm confusion with asymmetric public keys from 0, < 0.15.4-1+deb11u1
MEDIUM6.5CVE-2026-28490Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle from 0, < 0.15.4-1+deb11u2
MEDIUM6.5CVE-2025-62706Authlib : JWE zip=DEF decompression bomb enables DoS from 0, < 0.15.4-1+deb11u1
MEDIUM6.1CVE-2026-44681Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect from 0
MEDIUM5.7CVE-2025-68158Authlib has 1-click Account Takeover vulnerability from 0
MEDIUM5.4CVE-2026-41425Authlib: Cross-site request forging when using cache from 0