{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:55080527-d38e-5550-a6a3-69b0ffe3764d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/pyjwt@2.3.0", "type": "library", "name": "pyjwt", "version": "2.3.0", "purl": "pkg:pypi/pyjwt@2.3.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:66fb7912-3a01-5526-abc6-328bbda093ea", "id": "CVE-2026-48524", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48524 does not affect version 2.3.0 of pyjwt. not_affected \u2014 Target PyJWT version 2.3.0 is not affected by CVE-2026-48524. The vulnerability requires the jwk_set_cache feature with a finally-block cache-clearing pattern that was introduced in version 2.5.0. Version 2.3.0 predates this feature and uses a simpler lru_cache-based architecture that inherently avoids the cache-clearing behavior." }, "affects": [ { "ref": "pkg:pypi/pyjwt@2.3.0" } ] }, { "bom-ref": "urn:uuid:0df54c36-28ef-5ba2-8435-2bc09ebeea5a", "id": "CVE-2026-48525", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48525 does not affect version 2.3.0 of pyjwt. not_affected \u2014 Version 2.3.0.post1+tuxcare does not support RFC 7797 detached payloads (b64=false feature), which is the attack vector for CVE-2026-48525. The vulnerability-specific code path does not exist in this version." }, "affects": [ { "ref": "pkg:pypi/pyjwt@2.3.0" } ] }, { "bom-ref": "urn:uuid:dca9ba85-842c-5754-a18d-de94ebb3e215", "id": "CVE-2026-48526", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-48526 affects version 2.3.0 of pyjwt." }, "affects": [ { "ref": "pkg:pypi/pyjwt@2.3.0" } ] } ], "dependencies": [ { "ref": "pkg:pypi/pyjwt@2.3.0" } ] }