Ouch. Here's a very simple example of a very classic JWT security flaw -- "using the none signing algorithm to subvert signature validation checks when verifying JWT tokens used for OAuth authentication."
It's a great article that walks through the attacker mindset in finding and exploiting a flaw.
It's also a chance to talk about secure by design and secure by default. The JWT design espouses cryptographic agility in the "alg" header, which is intended to provide options for what algorithm signs the JWT. But this has led to many security flaws, including the one in this article. When crypto agility is touted as a benefit, who is actually benefitting? How does it influence threat models? Is it a feature desired by security teams or a feature useful to developers?
Even the best practices RFC explicitly calls out the security problems that arise from this feature.
For comparison, check out how Paseto approaches this problem with default choices and a versioning scheme.