CVE-2026-53776

Publié : 16 juin 2026

Modifié : 16 juin 2026

Score CVSS

9.1

CRITICAL

Description détaillée

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Références et Patchs

https://github.com/PerryTS/perry/releases/v0.5.1166 https://github.com/PerryTS/perry/security/advisories/GHSA-5324-c68v-8w62 https://www.vulncheck.com/advisories/perry-jwt-expiration-bypass-via-verify-decode

Dernières Vulnérabilités

CVE-2026-44932

Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.

VOIR DÉTAILS

CVE-2026-42089

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.

VOIR DÉTAILS

CVE-2026-39927

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

VOIR DÉTAILS