Nov

**Name of the Vulnerable Software and Affected Versions** Karaz Karazal through 2025-04-14 **Description** The issue allows reflected XSS via the `lang` parameter to the default URI. This can lead to improper neutralization of input during web page generation, also known as cross-site scripting. **Recommendations** For Karaz Karazal through 2025-04-14, as a temporary workaround, consider restricting access to the default URI or disabling the use of the `lang` parameter until a patch is available. Avoid using the `lang` parameter in the affected URI until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** json-jwt gem versions prior to 1.11.0 **Description** The issue is related to the json-jwt gem for Ruby, where it lacks an element count during the splitting of a JWE string. This lack of element count can lead to potential security issues. **Recommendations** For versions prior to 1.11.0, update to version 1.11.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of JWE strings until the update is applied.