CVE-2026-33204

{"id": "CVE-2026-33204", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T23:16:45.677", "references": [{"url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1", "source": "security-advisories@github.com"}, {"url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "SimpleJWT es una sencilla biblioteca de tokens web JSON escrita en PHP. Antes de la versi\u00f3n 1.1.1, un atacante no autenticado puede realizar una denegaci\u00f3n de servicio mediante la manipulaci\u00f3n del encabezado JWE cuando se utilizan algoritmos PBES2. Las aplicaciones que llaman a JWE::decrypt() en JWEs controlados por el atacante utilizando algoritmos PBES2 se ven afectadas. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security-advisories@github.com"}