{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b31b86ad-8483-5b51-8990-9f2342a6c322", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/pyjwt@1.7.1", "type": "library", "name": "pyjwt", "version": "1.7.1", "purl": "pkg:pypi/pyjwt@1.7.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:8359e5a7-21e1-5466-90d3-94aa432914f4", "id": "CVE-2026-48524", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48524 does not affect version 1.7.1 of pyjwt. not_affected \u2014 PyJWT version 1.7.1 is not affected by CVE-2026-48524. The vulnerability concerns PyJWKClient.fetch_data() clearing the JWKS cache on fetch errors, enabling unlimited HTTP requests. PyJWKClient was introduced in PyJWT 2.0.0 (2021), and this target version 1.7.1 (2018) predates that feature entirely. No JWKS fetching capability, no cache mechanism, and no code path exists for the vulnerability p..." }, "affects": [ { "ref": "pkg:pypi/pyjwt@1.7.1" } ] }, { "bom-ref": "urn:uuid:e56a79ab-58cc-5418-8201-8fb1b6deaab9", "id": "CVE-2026-48525", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-48525 affects version 1.7.1 of pyjwt." }, "affects": [ { "ref": "pkg:pypi/pyjwt@1.7.1" } ] }, { "bom-ref": "urn:uuid:533abbe8-79a2-5a20-a276-5aaff82d48e8", "id": "CVE-2026-48526", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-48526 affects version 1.7.1 of pyjwt." }, "affects": [ { "ref": "pkg:pypi/pyjwt@1.7.1" } ] } ], "dependencies": [ { "ref": "pkg:pypi/pyjwt@1.7.1" } ] }