pac4j-jwt has a CVSS 10.0 authentication bypass vulnerability (CVE-2026-29000) that allows unauthenticated complete bypass of JWT-based authentication controls. Sonatype identified 18-19 additional dependent packages with transitive exposure, expanding the potential impact significantly beyond direct pac4j-jwt consumers. While the EPSS score is currently low (25th percentile), the CVSS 10.0 severity and zero-credential attack vector require immediate remediation action; this should not be deferred based on current EPSS alone. Specific affected version ranges must be confirmed from NVD and the official pac4j security advisory before patching actions are finalized.