From d2f2acf140c4634fc9049f6f68b0ae11f99666c3 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 21 Jun 2026 13:44:01 +0300 Subject: [PATCH 1/5] update dependencies --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- scanrepository/scanrepository_test.go | 13 +++++++++---- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index be169172a..6a90b3963 100644 --- a/go.mod +++ b/go.mod @@ -9,12 +9,12 @@ require ( github.com/go-git/go-git/v5 v5.19.1 github.com/golang/mock v1.6.0 github.com/google/go-github/v45 v45.2.0 - github.com/jfrog/build-info-go v1.13.1-0.20260528065004-80409c046540 + github.com/jfrog/build-info-go v1.13.1-0.20260615080618-42488b58c305 github.com/jfrog/froggit-go v1.22.0 github.com/jfrog/gofrog v1.7.6 - github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260603105750-3886c0f01286 - github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260601130310-8d52a530da18 - github.com/jfrog/jfrog-cli-security v1.29.3 + github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260618051529-1b76b6ad2606 + github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260615072209-8ccac4f0072e + github.com/jfrog/jfrog-cli-security v1.31.0 github.com/jfrog/jfrog-client-go v1.55.1-0.20260603130552-af1dd449b994 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible github.com/owenrumney/go-sarif/v3 v3.2.3 diff --git a/go.sum b/go.sum index 774662f58..7ffa1dce1 100644 --- a/go.sum +++ b/go.sum @@ -138,20 +138,20 @@ github.com/jedib0t/go-pretty/v6 v6.7.10 h1:B/2qW2Bkv2L6n14PP8o1kx75kWzHOQ3YTluWz github.com/jedib0t/go-pretty/v6 v6.7.10/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= github.com/jfrog/archiver/v3 v3.6.3 h1:hkAmPjBw393tPmQ07JknLNWFNZjXdy2xFEnOW9wwOxI= github.com/jfrog/archiver/v3 v3.6.3/go.mod h1:5V9l+Fte30Y4qe9dUOAd3yNTf8lmtVNuhKNrvI8PMhg= -github.com/jfrog/build-info-go v1.13.1-0.20260528065004-80409c046540 h1:yJjTgSfmsBx9Q6/iiJxXQ/m0KZfFjNx8nNzaRLCM7z4= -github.com/jfrog/build-info-go v1.13.1-0.20260528065004-80409c046540/go.mod h1:CYRUCvLKfyARjoJXLWAxce1qNUxTEtbRKAARkV42vpE= +github.com/jfrog/build-info-go v1.13.1-0.20260615080618-42488b58c305 h1:q7/hTPm6ibQf45CztScTgPb8cAmKIeQ9im0ClISsq7Y= +github.com/jfrog/build-info-go v1.13.1-0.20260615080618-42488b58c305/go.mod h1:CYRUCvLKfyARjoJXLWAxce1qNUxTEtbRKAARkV42vpE= github.com/jfrog/froggit-go v1.22.0 h1:eeN5F8sOUo+h2cXkzArAu4nvSdjkDTAZtgqwrct70qg= github.com/jfrog/froggit-go v1.22.0/go.mod h1:wRDryqyp3oe+eHgME2mpnEQmO8XBECIPagFwj0nHmdI= github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s= github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4= github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY= github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w= -github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260603105750-3886c0f01286 h1:IF9Fyhfd7hilnuHO2AezV3lE9SF2FSxRxs4gfcU3f1U= -github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260603105750-3886c0f01286/go.mod h1:GQEGVW3wT1XPykXNsEiPQrF8/+01JvDVcGGYb5vqJuE= -github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260601130310-8d52a530da18 h1:tPv7XscDFAZaijVwMQNb+HmuucUMYQdjuA5frdGzhF0= -github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260601130310-8d52a530da18/go.mod h1:9R90mhbczGXwW5EGlDs7F08ejQU/xdoDhYHMvzBiqgE= -github.com/jfrog/jfrog-cli-security v1.29.3 h1:cIoDn5NkhmrVANUr22H2IVwYjqeFTA+e61lb4qE+8X8= -github.com/jfrog/jfrog-cli-security v1.29.3/go.mod h1:wTdl1sSLyq+TzOPnncxBBhqCKEqF2kp9l86k+Y5E3mM= +github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260618051529-1b76b6ad2606 h1:hlc8XoqySjbrvKKjxswyXQ/q5I0Px9FcZpVZUTd+T3M= +github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260618051529-1b76b6ad2606/go.mod h1:VqV0Bed11HoBlugAEGa3RumbwnDVslEf0gKocTzLs9s= +github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260615072209-8ccac4f0072e h1:E3B8OyEkCsdEdGsZifTphBDUPrd00yKoemL9+l25Qj8= +github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260615072209-8ccac4f0072e/go.mod h1:9R90mhbczGXwW5EGlDs7F08ejQU/xdoDhYHMvzBiqgE= +github.com/jfrog/jfrog-cli-security v1.31.0 h1:YvFzfX29k0jonh2HrgQYqoje+nfyv36dR5ED/9rSZHY= +github.com/jfrog/jfrog-cli-security v1.31.0/go.mod h1:TVQqBGnvVqCO6+CebV+JkOM/LgisdHv4oK3gCFDkKg8= github.com/jfrog/jfrog-client-go v1.55.1-0.20260603130552-af1dd449b994 h1:z1/WjItD4X9z1VkYhzrnbd0NWXp6+0I/LoP7XmsHl4U= github.com/jfrog/jfrog-client-go v1.55.1-0.20260603130552-af1dd449b994/go.mod h1:FHpjN1nTDoj96xd6obe27EOgGErqzU0rQgC96L3Ch9E= github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= diff --git a/scanrepository/scanrepository_test.go b/scanrepository/scanrepository_test.go index 08e02763d..072dd3588 100644 --- a/scanrepository/scanrepository_test.go +++ b/scanrepository/scanrepository_test.go @@ -40,6 +40,11 @@ func floatPtr(f float64) *float64 { return &f } +func componentPtr(id string) *cyclonedx.Component { + c := results.CreateScaComponentFromXrayCompId(id) + return &c +} + var testPackagesData = []struct { packageType string commandName string @@ -571,7 +576,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) { Severity: severityutils.Critical, Watch: "w1", }, - ImpactedComponent: results.CreateScaComponentFromXrayCompId("viol1"), + ImpactedComponent: componentPtr("viol1"), DirectComponents: []formats.ComponentRow{{Name: "viol1", Version: "1.0.0"}}, ImpactPaths: [][]formats.ComponentRow{{{Name: "root"}, {Name: "viol1", Version: "1.0.0"}}}, }, @@ -598,7 +603,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) { Severity: severityutils.Critical, Watch: "w1", }, - ImpactedComponent: results.CreateScaComponentFromXrayCompId("viol1"), + ImpactedComponent: componentPtr("viol1"), DirectComponents: []formats.ComponentRow{{Name: "viol1", Version: "1.0.0"}}, ImpactPaths: [][]formats.ComponentRow{{{Name: "root"}, {Name: "viol1", Version: "1.0.0"}}}, }, @@ -625,7 +630,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) { Severity: severityutils.High, Watch: "w1", }, - ImpactedComponent: results.CreateScaComponentFromXrayCompId("viol2"), + ImpactedComponent: componentPtr("viol2"), DirectComponents: []formats.ComponentRow{{Name: "viol2", Version: "2.0.0"}}, ImpactPaths: [][]formats.ComponentRow{{{Name: "root"}, {Name: "viol1", Version: "1.0.0"}, {Name: "viol2", Version: "2.0.0"}}}, }, @@ -652,7 +657,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) { Severity: severityutils.High, Watch: "w1", }, - ImpactedComponent: results.CreateScaComponentFromXrayCompId("viol2"), + ImpactedComponent: componentPtr("viol2"), DirectComponents: []formats.ComponentRow{{Name: "viol2", Version: "2.0.0"}}, ImpactPaths: [][]formats.ComponentRow{{{Name: "root"}, {Name: "viol1", Version: "1.0.0"}, {Name: "viol2", Version: "2.0.0"}}}, }, From 78dee85b9ffa4636ef0647bc9217d8058db6a3f5 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 21 Jun 2026 14:34:34 +0300 Subject: [PATCH 2/5] . --- .../test_proj_pip_with_vulnerability.md | 28 +++++++++---------- .../expected_response_multi_dir.md | 28 +++++++++---------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/testdata/messages/integration/test_proj_pip_with_vulnerability.md b/testdata/messages/integration/test_proj_pip_with_vulnerability.md index c5fd4ae17..c169334a3 100644 --- a/testdata/messages/integration/test_proj_pip_with_vulnerability.md +++ b/testdata/messages/integration/test_proj_pip_with_vulnerability.md @@ -27,10 +27,10 @@ | Severity | ID | Contextual Analysis | Direct Dependencies | Impacted Dependency | Fixed Versions | | :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | -| ![high](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | CVE-2026-48526 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | | ![high](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | CVE-2022-29217 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.4.0] | | ![medium](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableMediumSeverity.png)
Medium | CVE-2026-48522 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | | ![low](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableLowSeverity.png)
Low | CVE-2026-48524 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | +| ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2026-48526 | Not Applicable | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2026-32597 | Not Applicable | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.12.0] | | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2025-45768 | Not Applicable | pyjwt:1.7.1 | pyjwt 1.7.1 | - | @@ -40,19 +40,6 @@ ### 🔖 Details -
[ CVE-2026-48526 ] pyjwt 1.7.1 - -### Vulnerability Details -| | | -| --------------------- | :-----------------------------------: | -| **Contextual Analysis:** | Not Covered | -| **Direct Dependencies:** | pyjwt:1.7.1 | -| **Impacted Dependency:** | pyjwt:1.7.1 | -| **Fixed Versions:** | [2.13.0] | -| **CVSS V3:** | 7.4 | - -PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
-
[ CVE-2022-29217 ] pyjwt 1.7.1 ### Vulnerability Details @@ -171,6 +158,19 @@ Using a key with a short length may lead to attackers successfully brute-forcing The vulnerability was disputed (and never fixed) since the maintainers claim that the key is chosen by the application that uses the library, and is responsible for choosing a sufficiently long key.
+
[ CVE-2026-48526 ] pyjwt 1.7.1 + +### Vulnerability Details +| | | +| --------------------- | :-----------------------------------: | +| **Contextual Analysis:** | Not Applicable | +| **Direct Dependencies:** | pyjwt:1.7.1 | +| **Impacted Dependency:** | pyjwt:1.7.1 | +| **Fixed Versions:** | [2.13.0] | +| **CVSS V3:** | 7.4 | + +PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
+ ---
diff --git a/testdata/scanpullrequest/expected_response_multi_dir.md b/testdata/scanpullrequest/expected_response_multi_dir.md index b950fe491..f5d901daa 100644 --- a/testdata/scanpullrequest/expected_response_multi_dir.md +++ b/testdata/scanpullrequest/expected_response_multi_dir.md @@ -31,10 +31,10 @@ | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2026-27903 | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.1.3]
[4.2.5]
[5.1.8]
[6.2.2]
[7.4.8]
[8.0.6]
[9.0.7]
[10.2.3] | | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2026-26996 | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.1.3]
[4.2.4]
[5.1.7]
[6.2.1]
[7.4.7]
[8.0.5]
[9.0.6]
[10.2.1] | | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2022-3517 | Not Applicable | minimatch:3.0.4 | minimatch 3.0.4 | [3.0.5] | -| ![high](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | CVE-2026-48526 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | | ![high](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | CVE-2022-29217 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.4.0] | | ![medium](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableMediumSeverity.png)
Medium | CVE-2026-48522 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | | ![low](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableLowSeverity.png)
Low | CVE-2026-48524 | Not Covered | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | +| ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2026-48526 | Not Applicable | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.13.0] | | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2026-32597 | Not Applicable | pyjwt:1.7.1 | pyjwt 1.7.1 | [2.12.0] | | ![high (not applicable)](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | CVE-2025-45768 | Not Applicable | pyjwt:1.7.1 | pyjwt 1.7.1 | - | @@ -197,19 +197,6 @@ function redosDetector(input_string, limit) { A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
-
[ CVE-2026-48526 ] pyjwt 1.7.1 - -### Vulnerability Details -| | | -| --------------------- | :-----------------------------------: | -| **Contextual Analysis:** | Not Covered | -| **Direct Dependencies:** | pyjwt:1.7.1 | -| **Impacted Dependency:** | pyjwt:1.7.1 | -| **Fixed Versions:** | [2.13.0] | -| **CVSS V3:** | 7.4 | - -PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
-
[ CVE-2022-29217 ] pyjwt 1.7.1 ### Vulnerability Details @@ -328,6 +315,19 @@ Using a key with a short length may lead to attackers successfully brute-forcing The vulnerability was disputed (and never fixed) since the maintainers claim that the key is chosen by the application that uses the library, and is responsible for choosing a sufficiently long key.
+
[ CVE-2026-48526 ] pyjwt 1.7.1 + +### Vulnerability Details +| | | +| --------------------- | :-----------------------------------: | +| **Contextual Analysis:** | Not Applicable | +| **Direct Dependencies:** | pyjwt:1.7.1 | +| **Impacted Dependency:** | pyjwt:1.7.1 | +| **Fixed Versions:** | [2.13.0] | +| **CVSS V3:** | 7.4 | + +PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
+ ---
From b6f7dd7c969dd045f186c35f5705e6e236b96c83 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 21 Jun 2026 15:26:55 +0300 Subject: [PATCH 3/5] . --- .../test_proj_pip_with_vulnerability.md | 26 +++++++++---------- .../expected_response_multi_dir.md | 26 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/testdata/messages/integration/test_proj_pip_with_vulnerability.md b/testdata/messages/integration/test_proj_pip_with_vulnerability.md index c169334a3..cf34f2644 100644 --- a/testdata/messages/integration/test_proj_pip_with_vulnerability.md +++ b/testdata/messages/integration/test_proj_pip_with_vulnerability.md @@ -111,6 +111,19 @@ PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
+
[ CVE-2026-48526 ] pyjwt 1.7.1 + +### Vulnerability Details +| | | +| --------------------- | :-----------------------------------: | +| **Contextual Analysis:** | Not Applicable | +| **Direct Dependencies:** | pyjwt:1.7.1 | +| **Impacted Dependency:** | pyjwt:1.7.1 | +| **Fixed Versions:** | [2.13.0] | +| **CVSS V3:** | 7.4 | + +PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
+
[ CVE-2026-32597 ] pyjwt 1.7.1 ### Vulnerability Details @@ -158,19 +171,6 @@ Using a key with a short length may lead to attackers successfully brute-forcing The vulnerability was disputed (and never fixed) since the maintainers claim that the key is chosen by the application that uses the library, and is responsible for choosing a sufficiently long key.
-
[ CVE-2026-48526 ] pyjwt 1.7.1 - -### Vulnerability Details -| | | -| --------------------- | :-----------------------------------: | -| **Contextual Analysis:** | Not Applicable | -| **Direct Dependencies:** | pyjwt:1.7.1 | -| **Impacted Dependency:** | pyjwt:1.7.1 | -| **Fixed Versions:** | [2.13.0] | -| **CVSS V3:** | 7.4 | - -PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
- ---
diff --git a/testdata/scanpullrequest/expected_response_multi_dir.md b/testdata/scanpullrequest/expected_response_multi_dir.md index f5d901daa..7557db151 100644 --- a/testdata/scanpullrequest/expected_response_multi_dir.md +++ b/testdata/scanpullrequest/expected_response_multi_dir.md @@ -268,6 +268,19 @@ PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.
+
[ CVE-2026-48526 ] pyjwt 1.7.1 + +### Vulnerability Details +| | | +| --------------------- | :-----------------------------------: | +| **Contextual Analysis:** | Not Applicable | +| **Direct Dependencies:** | pyjwt:1.7.1 | +| **Impacted Dependency:** | pyjwt:1.7.1 | +| **Fixed Versions:** | [2.13.0] | +| **CVSS V3:** | 7.4 | + +PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
+
[ CVE-2026-32597 ] pyjwt 1.7.1 ### Vulnerability Details @@ -315,19 +328,6 @@ Using a key with a short length may lead to attackers successfully brute-forcing The vulnerability was disputed (and never fixed) since the maintainers claim that the key is chosen by the application that uses the library, and is responsible for choosing a sufficiently long key.
-
[ CVE-2026-48526 ] pyjwt 1.7.1 - -### Vulnerability Details -| | | -| --------------------- | :-----------------------------------: | -| **Contextual Analysis:** | Not Applicable | -| **Direct Dependencies:** | pyjwt:1.7.1 | -| **Impacted Dependency:** | pyjwt:1.7.1 | -| **Fixed Versions:** | [2.13.0] | -| **CVSS V3:** | 7.4 | - -PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.
- ---
From d8d5d4e62fbc5130dcc2ceeb4daa66ddbe1e4f59 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 21 Jun 2026 15:56:50 +0300 Subject: [PATCH 4/5] . --- scanpullrequest/scanpullrequest_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanpullrequest/scanpullrequest_test.go b/scanpullrequest/scanpullrequest_test.go index 73656a3a6..5f1d2c7c1 100644 --- a/scanpullrequest/scanpullrequest_test.go +++ b/scanpullrequest/scanpullrequest_test.go @@ -198,7 +198,7 @@ func TestScanPullRequest(t *testing.T) { failOnSecurityIssues bool }{ { - testName: "ScanPullRequest", + testName: "ScanPullRequest.", configPath: testProjConfigPath, projectName: "test-proj", failOnSecurityIssues: true, From a02c2aa7a29368d9cdb16e0e3be62b2db986e469 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 21 Jun 2026 15:56:56 +0300 Subject: [PATCH 5/5] . --- scanpullrequest/scanpullrequest_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanpullrequest/scanpullrequest_test.go b/scanpullrequest/scanpullrequest_test.go index 5f1d2c7c1..73656a3a6 100644 --- a/scanpullrequest/scanpullrequest_test.go +++ b/scanpullrequest/scanpullrequest_test.go @@ -198,7 +198,7 @@ func TestScanPullRequest(t *testing.T) { failOnSecurityIssues bool }{ { - testName: "ScanPullRequest.", + testName: "ScanPullRequest", configPath: testProjConfigPath, projectName: "test-proj", failOnSecurityIssues: true,