[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-35039":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-06T21:11:21.470Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":95,"aliases":96,"duplicate_of":9,"upstream":98,"downstream":99,"duplicates":100,"related":101,"reserved_at":9,"published_at":102,"modified_at":102,"state":103,"summary":104,"references_raw":111,"kevs":125,"epss":9,"epss_history":126,"metrics":127,"affected":137},"CVE-2026-35039","fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token.",null,[11,67,89],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-345","Insufficient Verification of Data Authenticity","The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.","weakness","Draft","Class",[19,23,27,31,35,39,43,47,51,55,59,63],{"id":20,"name":21,"techniques":22},"CAPEC-111","JSON Hijacking (aka JavaScript Hijacking)",[],{"id":24,"name":25,"techniques":26},"CAPEC-141","Cache Poisoning",[],{"id":28,"name":29,"techniques":30},"CAPEC-142","DNS Cache Poisoning",[],{"id":32,"name":33,"techniques":34},"CAPEC-148","Content Spoofing",[],{"id":36,"name":37,"techniques":38},"CAPEC-218","Spoofing of UDDI/ebXML Messages",[],{"id":40,"name":41,"techniques":42},"CAPEC-384","Application API Message Manipulation via Man-in-the-Middle",[],{"id":44,"name":45,"techniques":46},"CAPEC-385","Transaction or Event Tampering via Application API Manipulation",[],{"id":48,"name":49,"techniques":50},"CAPEC-386","Application API Navigation Remapping",[],{"id":52,"name":53,"techniques":54},"CAPEC-387","Navigation Remapping To Propagate Malicious Content",[],{"id":56,"name":57,"techniques":58},"CAPEC-388","Application API Button Hijacking",[],{"id":60,"name":61,"techniques":62},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[],{"id":64,"name":65,"techniques":66},"CAPEC-701","Browser in the Middle (BiTM)",[],{"_key":68,"id":68,"name":69,"description":70,"type":15,"status":71,"abstraction":17,"likelihood_of_exploit":9,"capec":72},"CWE-706","Use of Incorrectly-Resolved Name or Reference","The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.","Incomplete",[73,77,81,85],{"id":74,"name":75,"techniques":76},"CAPEC-159","Redirect Access to Libraries",[],{"id":78,"name":79,"techniques":80},"CAPEC-177","Create files with the same name as files protected with a higher classification",[],{"id":82,"name":83,"techniques":84},"CAPEC-48","Passing Local Filenames to Functions That Expect a URL",[],{"id":86,"name":87,"techniques":88},"CAPEC-641","DLL Side-Loading",[],{"_key":90,"id":90,"name":91,"description":92,"type":15,"status":71,"abstraction":93,"likelihood_of_exploit":9,"capec":94},"CWE-1289","Improper Validation of Unsafe Equivalence in Input","The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.","Base",[],[],[97],"GHSA-rp9m-7r4c-75qg",[],[],[],[],"2026-04-06T16:59:43.124Z","Received",{"cisa_kev":105,"cisa_ransomware":105,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":106,"severity_score":107,"severity_version":108,"severity_source":109,"severity_vector":110,"severity_status":103},false,"critical",9.1,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",[112,120],{"url":113,"sources":114,"tags":117},"https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg",[115,109,116],"osv_npm","nvd",[118,119],"WEB","X Refsource CONFIRM",{"url":121,"sources":122,"tags":123},"https://github.com/nearform/fast-jwt",[115],[124],"PACKAGE",[],[],[128,132,135],{"source":115,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":129,"cvss_v4_0":9},{"baseScore":107,"baseSeverity":9,"vectorString":110,"impactScore":130,"exploitabilityScore":131},8.7,10,{"source":109,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":133,"cvss_v4_0":9},{"baseScore":107,"baseSeverity":134,"vectorString":110,"impactScore":130,"exploitabilityScore":131},"CRITICAL",{"source":116,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":136,"cvss_v4_0":9},{"baseScore":107,"baseSeverity":134,"vectorString":110,"impactScore":130,"exploitabilityScore":131},[138,150],{"ecosystem":9,"name":139,"vendor":140,"product":139,"cpe_part":141,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":142},"fast-jwt","nearform","a",[143],{"version":144,"is_range":145,"range_type":109,"version_start":146,"version_start_type":147,"version_end":148,"version_end_type":149,"fixed_in":9},">= 0.0.1, \u003C 6.1.0",true,"0.0.1","including","6.1.0","excluding",{"ecosystem":151,"name":139,"vendor":151,"product":139,"cpe_part":9,"purl_type":152,"purl_namespace":9,"purl_name":139,"source":9,"versions":153},"Npm","npm",[154],{"version":155,"is_range":145,"range_type":156,"version_start":146,"version_start_type":147,"version_end":148,"version_end_type":149,"fixed_in":9},"gte0_0_1_lt6_1_0","semver"]