{"vulnerability": "cve-2026-4852", "sightings": [{"uuid": "181f84c1-b0ec-4f00-bf6c-d4800f998861", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48527", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmyuju2ije22", "content": "CVE-2026-48527 - HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint\nCVE ID : CVE-2026-48527\n \n Published : May 29, 2026, 1:16 p.m. | 1\u00a0hour, 55\u00a0minutes ago\n \n Description : HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up...", "creation_timestamp": "2026-05-29T15:37:37.120252Z"}, {"uuid": "0dccc110-b203-4a63-b2bc-5ddccbf57c49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwjprwno32c", "content": "CVE-2026-48524 - PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)\nCVE ID : CVE-2026-48524\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, P...", "creation_timestamp": "2026-05-28T17:18:42.980532Z"}, {"uuid": "c45639e4-1719-4798-a87d-e4f9e0da5462", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48526", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwksx74os2e", "content": "CVE-2026-48526 - PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed\nCVE ID : CVE-2026-48526\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior...", "creation_timestamp": "2026-05-28T17:38:22.790548Z"}, {"uuid": "ea056b43-3f36-4023-b0c2-be8378982c6d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48523", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwl3vmqup2r", "content": "CVE-2026-48523 - PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys\nCVE ID : CVE-2026-48523\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there ...", "creation_timestamp": "2026-05-28T17:43:23.255339Z"}, {"uuid": "6120e7f4-67dc-4baa-9b25-dde308a13b94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48525", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwleu26lh2k", "content": "CVE-2026-48525 - PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS\nCVE ID : CVE-2026-48525\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python....", "creation_timestamp": "2026-05-28T17:48:23.732898Z"}, {"uuid": "d412ee9d-9fef-437a-a608-1ad70b95b8e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48522", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwlnshmtl2k", "content": "CVE-2026-48522 - PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes\nCVE ID : CVE-2026-48522\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior to ...", "creation_timestamp": "2026-05-28T17:53:23.839388Z"}, {"uuid": "f5e537dd-f190-4d94-872f-d8c2f4e5ed93", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4852", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjxj2wb56l2i", "content": "", "creation_timestamp": "2026-04-20T22:24:09.518271Z"}, {"uuid": "e21227da-aaa1-48de-afda-d908512fbc23", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48527", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mn45s4mkta2s", "content": "\ud83d\udfe0 CVE-2026-48527 - High (8.7)\n\nHAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-48527/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-30T23:01:15.705522Z"}, {"uuid": "bb7c428f-9007-4a4f-90e2-0fac2e5174f5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-48527", "type": "published-proof-of-concept", "source": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h", "content": "", "creation_timestamp": "2026-05-21T20:37:15.000000Z"}, {"uuid": "f37007a3-5fbd-471b-9966-f4bba1f6fcf4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48526", "type": "seen", "source": "https://gist.github.com/alon710/93387c2165378ba3df7fa81047a5bf97", "content": "# CVE-2026-48526: CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT\n\n> **CVSS Score:** 7.4\n> **Published:** 2026-05-28\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48526\n\n## Summary\nCVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.\n\n## TL;DR\nAn algorithm-confusion vulnerability in PyJWT allows remote attackers to bypass authentication by signing forged tokens with a public JWK string treated as a symmetric HMAC secret.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-287\n- **Attack Vector**: Network\n- **CVSS**: 7.4\n- **EPSS Score**: 0.00017\n- **Impact**: High\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pyjwt (Python JSON Web Token Library)\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade pyjwt to version 2.13.0 or later.\n- Do not allow mixed algorithm families in jwt.decode calls.\n- Parse public keys explicitly using PyJWK rather than passing raw JSON strings.\n\n**Remediation Steps:**\n1. Run `pip install --upgrade pyjwt` to update to 2.13.0+.\n2. Review jwt.decode usage to ensure the algorithms list is restricted strictly to either symmetric (e.g. HS256) or asymmetric (e.g. RS256) families.\n3. Modify raw key-loading paths to parse JWK dictionaries using `jwt.PyJWK` before verification.\n\n## References\n\n- [NVD - CVE-2026-48526](https://nvd.nist.gov/vuln/detail/CVE-2026-48526)\n- [CVE-2026-48526 Record](https://www.cve.org/CVERecord?id=CVE-2026-48526)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48526) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T08:21:13.000000Z"}]}