Skip to content

Security Review — 2026-06-06 — security-warning#97

Open
jdrumgoole wants to merge 1 commit into
mainfrom
security-review/2026-06-06
Open

Security Review — 2026-06-06 — security-warning#97
jdrumgoole wants to merge 1 commit into
mainfrom
security-review/2026-06-06

Conversation

@jdrumgoole

Copy link
Copy Markdown
Owner

Summary

  • 2 WARNING findings from new CVEs published since the last review
  • 17 INFO items carried forward unchanged (no code changes since 2026-06-05)
  • 0 CRITICAL findings

WARNING-1: CVE-2026-48526 — PyJWT algorithm confusion

PyJWT 2.12.1 (locked) is affected by an algorithm-confusion vulnerability fixed in 2.13.0. Not exploitable in WineBox (HS256 only, no JWK or mixed algorithms), but the pin should be bumped for defence in depth.

Fix: pyjwt>=2.13.0 in pyproject.toml + uv lock --upgrade-package pyjwt

WARNING-2: CVE-2026-34993 + CVE-2026-47265 — aiohttp pickle RCE and cookie leak

aiohttp 3.13.5 (locked) is affected by a pickle deserialization RCE and a cross-origin redirect cookie leak, both fixed in 3.14.0. Not exploitable in WineBox (aiohttp is a transitive dependency with no direct usage), but the pin should be bumped.

Fix: aiohttp>=3.14.0 in pyproject.toml + uv lock --upgrade-package aiohttp

Test plan

  • Bump pyjwt>=2.13.0 in pyproject.toml
  • Bump aiohttp>=3.14.0 in pyproject.toml
  • Run uv lock --upgrade-package pyjwt --upgrade-package aiohttp
  • Run full test suite to confirm no regressions
  • Update CVE tracking comments in pyproject.toml

https://claude.ai/code/session_01TLJ72HAyG4hHS6ppPJ2LPX


Generated by Claude Code

2 WARNING findings: CVE-2026-48526 (PyJWT algorithm confusion, fix: bump to >=2.13.0)
and CVE-2026-34993 + CVE-2026-47265 (aiohttp pickle RCE + cookie leak, fix: bump to
>=3.14.0). Neither is exploitable in WineBox's current architecture but the version
pins should be bumped for defence in depth. 17 INFO items carried forward unchanged.

https://claude.ai/code/session_01TLJ72HAyG4hHS6ppPJ2LPX
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants