CWE-347
Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CVE-2026-3706 (GCVE-0-2026-3706)
Vulnerability from cvelistv5 – Published: 2026-03-08 05:02 – Updated: 2026-04-22 18:54 Disputed X_Open Source
VLAI
Title
mkj Dropbear S Range Check curve25519.c unpackneg signature verification
Summary
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg of the file src/curve25519.c of the component S Range Check. This manipulation causes improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. Patch name: fdec3c90a15447bd538641d85e5a3e3ac981011d. To fix this issue, it is recommended to deploy a patch. The project maintainer explains: "Signature Malleability is not exploitable in SSH protocol. (...) [A] PoC doesn't exist for SSH implementation, but rather it's against the internal API."
Severity
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.349652 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.349652 | signaturepermissions-required |
| https://vuldb.com/?submit.765933 | third-party-advisory |
| https://github.com/mkj/dropbear/issues/406 | issue-tracking |
| https://github.com/mkj/dropbear/pull/407 | issue-trackingpatch |
| https://github.com/mkj/dropbear/commit/fdec3c90a1… | patch |
| https://github.com/str4d/ed25519-java/issues/82#i… | issue-tracking |
| https://github.com/mkj/dropbear/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mkj | Dropbear |
Affected:
2025.0
Affected: 2025.1 Affected: 2025.2 Affected: 2025.3 Affected: 2025.4 Affected: 2025.5 Affected: 2025.6 Affected: 2025.7 Affected: 2025.8 Affected: 2025.9 Affected: 2025.10 Affected: 2025.11 Affected: 2025.12 Affected: 2025.13 Affected: 2025.14 Affected: 2025.15 Affected: 2025.16 Affected: 2025.17 Affected: 2025.18 Affected: 2025.19 Affected: 2025.20 Affected: 2025.21 Affected: 2025.22 Affected: 2025.23 Affected: 2025.24 Affected: 2025.25 Affected: 2025.26 Affected: 2025.27 Affected: 2025.28 Affected: 2025.29 Affected: 2025.30 Affected: 2025.31 Affected: 2025.32 Affected: 2025.33 Affected: 2025.34 Affected: 2025.35 Affected: 2025.36 Affected: 2025.37 Affected: 2025.38 Affected: 2025.39 Affected: 2025.40 Affected: 2025.41 Affected: 2025.42 Affected: 2025.43 Affected: 2025.44 Affected: 2025.45 Affected: 2025.46 Affected: 2025.47 Affected: 2025.48 Affected: 2025.49 Affected: 2025.50 Affected: 2025.51 Affected: 2025.52 Affected: 2025.53 Affected: 2025.54 Affected: 2025.55 Affected: 2025.56 Affected: 2025.57 Affected: 2025.58 Affected: 2025.59 Affected: 2025.60 Affected: 2025.61 Affected: 2025.62 Affected: 2025.63 Affected: 2025.64 Affected: 2025.65 Affected: 2025.66 Affected: 2025.67 Affected: 2025.68 Affected: 2025.69 Affected: 2025.70 Affected: 2025.71 Affected: 2025.72 Affected: 2025.73 Affected: 2025.74 Affected: 2025.75 Affected: 2025.76 Affected: 2025.77 Affected: 2025.78 Affected: 2025.79 Affected: 2025.80 Affected: 2025.81 Affected: 2025.82 Affected: 2025.83 Affected: 2025.84 Affected: 2025.85 Affected: 2025.86 Affected: 2025.87 Affected: 2025.88 Affected: 2025.89 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3706",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:05:08.951683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:54:11.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mkj/dropbear/issues/406"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"S Range Check"
],
"product": "Dropbear",
"vendor": "mkj",
"versions": [
{
"status": "affected",
"version": "2025.0"
},
{
"status": "affected",
"version": "2025.1"
},
{
"status": "affected",
"version": "2025.2"
},
{
"status": "affected",
"version": "2025.3"
},
{
"status": "affected",
"version": "2025.4"
},
{
"status": "affected",
"version": "2025.5"
},
{
"status": "affected",
"version": "2025.6"
},
{
"status": "affected",
"version": "2025.7"
},
{
"status": "affected",
"version": "2025.8"
},
{
"status": "affected",
"version": "2025.9"
},
{
"status": "affected",
"version": "2025.10"
},
{
"status": "affected",
"version": "2025.11"
},
{
"status": "affected",
"version": "2025.12"
},
{
"status": "affected",
"version": "2025.13"
},
{
"status": "affected",
"version": "2025.14"
},
{
"status": "affected",
"version": "2025.15"
},
{
"status": "affected",
"version": "2025.16"
},
{
"status": "affected",
"version": "2025.17"
},
{
"status": "affected",
"version": "2025.18"
},
{
"status": "affected",
"version": "2025.19"
},
{
"status": "affected",
"version": "2025.20"
},
{
"status": "affected",
"version": "2025.21"
},
{
"status": "affected",
"version": "2025.22"
},
{
"status": "affected",
"version": "2025.23"
},
{
"status": "affected",
"version": "2025.24"
},
{
"status": "affected",
"version": "2025.25"
},
{
"status": "affected",
"version": "2025.26"
},
{
"status": "affected",
"version": "2025.27"
},
{
"status": "affected",
"version": "2025.28"
},
{
"status": "affected",
"version": "2025.29"
},
{
"status": "affected",
"version": "2025.30"
},
{
"status": "affected",
"version": "2025.31"
},
{
"status": "affected",
"version": "2025.32"
},
{
"status": "affected",
"version": "2025.33"
},
{
"status": "affected",
"version": "2025.34"
},
{
"status": "affected",
"version": "2025.35"
},
{
"status": "affected",
"version": "2025.36"
},
{
"status": "affected",
"version": "2025.37"
},
{
"status": "affected",
"version": "2025.38"
},
{
"status": "affected",
"version": "2025.39"
},
{
"status": "affected",
"version": "2025.40"
},
{
"status": "affected",
"version": "2025.41"
},
{
"status": "affected",
"version": "2025.42"
},
{
"status": "affected",
"version": "2025.43"
},
{
"status": "affected",
"version": "2025.44"
},
{
"status": "affected",
"version": "2025.45"
},
{
"status": "affected",
"version": "2025.46"
},
{
"status": "affected",
"version": "2025.47"
},
{
"status": "affected",
"version": "2025.48"
},
{
"status": "affected",
"version": "2025.49"
},
{
"status": "affected",
"version": "2025.50"
},
{
"status": "affected",
"version": "2025.51"
},
{
"status": "affected",
"version": "2025.52"
},
{
"status": "affected",
"version": "2025.53"
},
{
"status": "affected",
"version": "2025.54"
},
{
"status": "affected",
"version": "2025.55"
},
{
"status": "affected",
"version": "2025.56"
},
{
"status": "affected",
"version": "2025.57"
},
{
"status": "affected",
"version": "2025.58"
},
{
"status": "affected",
"version": "2025.59"
},
{
"status": "affected",
"version": "2025.60"
},
{
"status": "affected",
"version": "2025.61"
},
{
"status": "affected",
"version": "2025.62"
},
{
"status": "affected",
"version": "2025.63"
},
{
"status": "affected",
"version": "2025.64"
},
{
"status": "affected",
"version": "2025.65"
},
{
"status": "affected",
"version": "2025.66"
},
{
"status": "affected",
"version": "2025.67"
},
{
"status": "affected",
"version": "2025.68"
},
{
"status": "affected",
"version": "2025.69"
},
{
"status": "affected",
"version": "2025.70"
},
{
"status": "affected",
"version": "2025.71"
},
{
"status": "affected",
"version": "2025.72"
},
{
"status": "affected",
"version": "2025.73"
},
{
"status": "affected",
"version": "2025.74"
},
{
"status": "affected",
"version": "2025.75"
},
{
"status": "affected",
"version": "2025.76"
},
{
"status": "affected",
"version": "2025.77"
},
{
"status": "affected",
"version": "2025.78"
},
{
"status": "affected",
"version": "2025.79"
},
{
"status": "affected",
"version": "2025.80"
},
{
"status": "affected",
"version": "2025.81"
},
{
"status": "affected",
"version": "2025.82"
},
{
"status": "affected",
"version": "2025.83"
},
{
"status": "affected",
"version": "2025.84"
},
{
"status": "affected",
"version": "2025.85"
},
{
"status": "affected",
"version": "2025.86"
},
{
"status": "affected",
"version": "2025.87"
},
{
"status": "affected",
"version": "2025.88"
},
{
"status": "affected",
"version": "2025.89"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "pythok (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg of the file src/curve25519.c of the component S Range Check. This manipulation causes improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. Patch name: fdec3c90a15447bd538641d85e5a3e3ac981011d. To fix this issue, it is recommended to deploy a patch. The project maintainer explains: \"Signature Malleability is not exploitable in SSH protocol. (...) [A] PoC doesn\u0027t exist for SSH implementation, but rather it\u0027s against the internal API.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T05:39:00.731Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-349652 | mkj Dropbear S Range Check curve25519.c unpackneg signature verification",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.349652"
},
{
"name": "VDB-349652 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.349652"
},
{
"name": "Submit #765933 | GitHub Dropbear 2025.89 Improper Verification of Cryptographic Signature",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.765933"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mkj/dropbear/issues/406"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/mkj/dropbear/pull/407"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mkj/dropbear/commit/fdec3c90a15447bd538641d85e5a3e3ac981011d"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/str4d/ed25519-java/issues/82#issue-727629226"
},
{
"tags": [
"product"
],
"url": "https://github.com/mkj/dropbear/"
}
],
"tags": [
"disputed",
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-07T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-16T06:42:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "mkj Dropbear S Range Check curve25519.c unpackneg signature verification"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-3706",
"datePublished": "2026-03-08T05:02:11.136Z",
"dateReserved": "2026-03-07T09:05:33.842Z",
"dateUpdated": "2026-04-22T18:54:11.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39413 (GCVE-0-2026-39413)
Vulnerability from cvelistv5 – Published: 2026-04-08 19:41 – Updated: 2026-04-22 15:28
VLAI
Title
LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
Summary
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
Severity
4.2 (Medium)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/HKUDS/LightRAG/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39413",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T20:18:28.117904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T20:18:55.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-22T15:28:31.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/github/advisory-database/issues/7373"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "LightRAG",
"vendor": "HKUDS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying \u0027alg\u0027: \u0027none\u0027 in the JWT header. Since the jwt.decode() call does not explicitly deny the \u0027none\u0027 algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T19:41:23.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf"
}
],
"source": {
"advisory": "GHSA-8ffj-4hx4-9pgf",
"discovery": "UNKNOWN"
},
"title": "LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39413",
"datePublished": "2026-04-08T19:41:23.909Z",
"dateReserved": "2026-04-07T00:23:30.595Z",
"dateUpdated": "2026-04-22T15:28:31.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40070 (GCVE-0-2026-40070)
Vulnerability from cvelistv5 – Published: 2026-04-09 17:26 – Updated: 2026-04-13 15:38
VLAI
Title
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
Summary
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
Severity
8.1 (High)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/sgbett/bsv-ruby-sdk/security/a… | x_refsource_CONFIRM |
| https://github.com/sgbett/bsv-ruby-sdk/issues/305 | x_refsource_MISC |
| https://github.com/sgbett/bsv-ruby-sdk/pull/306 | x_refsource_MISC |
| https://github.com/sgbett/bsv-ruby-sdk/commit/499… | x_refsource_MISC |
| https://brc.dev/52 | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| sgbett | bsv-ruby-sdk |
Affected:
>= 0.3.1, < 0.8.2
|
|
| sgbett | bsv-sdk |
Affected:
>= 0.3.1, < 0.8.2
|
|
| sgbett | bsv-wallet |
Affected:
>= 0.1.2, < 0.3.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40070",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:29:59.716749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:38:58.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bsv-ruby-sdk",
"vendor": "sgbett",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.1, \u003c 0.8.2"
}
]
},
{
"product": "bsv-sdk",
"vendor": "sgbett",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.1, \u003c 0.8.2"
}
]
},
{
"product": "bsv-wallet",
"vendor": "sgbett",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.2, \u003c 0.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier\u0027s signature over the certificate contents. In acquisition_protocol: \u0027direct\u0027, the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: \u0027issuance\u0027, the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T17:26:51.495Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"
},
{
"name": "https://github.com/sgbett/bsv-ruby-sdk/issues/305",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"
},
{
"name": "https://github.com/sgbett/bsv-ruby-sdk/pull/306",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"
},
{
"name": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"
},
{
"name": "https://brc.dev/52",
"tags": [
"x_refsource_MISC"
],
"url": "https://brc.dev/52"
}
],
"source": {
"advisory": "GHSA-hc36-c89j-5f4j",
"discovery": "UNKNOWN"
},
"title": "bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40070",
"datePublished": "2026-04-09T17:26:51.495Z",
"dateReserved": "2026-04-09T00:39:12.204Z",
"dateUpdated": "2026-04-13T15:38:58.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40372 (GCVE-0-2026-40372)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:20 – Updated: 2026-05-12 17:39
VLAI
Title
ASP.NET Core Elevation of Privilege Vulnerability
Summary
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
Severity
9.1 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | ASP.NET Core 10.0 |
Affected:
10.0 , < 10.0.7
(custom)
|
|
| Microsoft | Microsoft Visual Studio 2026 version 18.5 |
Affected:
18.5.0 , < 18.5.2
(custom)
|
Date Public
2026-04-21 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T03:56:11.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ASP.NET Core 10.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Microsoft Visual Studio 2026 version 18.5",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "18.5.2",
"status": "affected",
"version": "18.5.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.7",
"versionStartIncluding": "10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*",
"versionEndExcluding": "18.5.2",
"versionStartIncluding": "18.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-04-21T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T17:39:53.725Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "ASP.NET Core Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372"
}
],
"title": "ASP.NET Core Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-40372",
"datePublished": "2026-04-21T19:20:50.215Z",
"dateReserved": "2026-04-11T23:06:15.615Z",
"dateUpdated": "2026-05-12T17:39:53.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4115 (GCVE-0-2026-4115)
Vulnerability from cvelistv5 – Published: 2026-03-22 12:15 – Updated: 2026-05-25 01:42 Disputed X_Open Source
VLAI
Title
PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification
Summary
A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a patch for the affected product. However, at the moment there is no proof that this flaw might have any real-world impact.
Severity
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.352429 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.352429 | signaturepermissions-required |
| https://vuldb.com/?submit.775576 | third-party-advisory |
| https://github.com/py-thok/putty-ed25519-malleabi… | related |
| https://www.chiark.greenend.org.uk/~sgtatham/putt… | related |
| https://github.com/py-thok/putty-ed25519-malleabi… | exploit |
| https://git.tartarus.org/?p=simon/putty.git;a=com… | patch |
| https://www.rfc-editor.org/rfc/rfc8032#section-8.4 | related |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4115",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:32:32.298237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:32:42.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-25T01:42:39.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/24/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*"
],
"modules": [
"Ed25519 Signature Handler"
],
"product": "PuTTY",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.83"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "pythok (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a patch for the affected product. However, at the moment there is no proof that this flaw might have any real-world impact."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-22T12:20:27.727Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-352429 | PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.352429"
},
{
"name": "VDB-352429 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.352429"
},
{
"name": "Submit #775576 | PuTTY Project (Simon Tatham) PuTTY 0.83 Improper Verification of Cryptographic Signature",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.775576"
},
{
"tags": [
"related"
],
"url": "https://github.com/py-thok/putty-ed25519-malleability-s-plus-l"
},
{
"tags": [
"related"
],
"url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/eddsa-overlarge-s.html"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/py-thok/putty-ed25519-malleability-s-plus-l/blob/main/poc.py"
},
{
"tags": [
"patch"
],
"url": "https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=af996b5ec27ab79bae3882071b9d6acf16044549"
},
{
"tags": [
"related"
],
"url": "https://www.rfc-editor.org/rfc/rfc8032#section-8.4"
}
],
"tags": [
"disputed",
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-22T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-22T12:54:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4115",
"datePublished": "2026-03-22T12:15:07.531Z",
"dateReserved": "2026-03-13T12:09:58.769Z",
"dateUpdated": "2026-05-25T01:42:39.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41301 (GCVE-0-2026-41301)
Vulnerability from cvelistv5 – Published: 2026-04-20 23:08 – Updated: 2026-04-21 13:33 X_Open Source
VLAI
Title
OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass
Summary
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel.
Severity
5.3 (Medium)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/4ee74… | patch |
| https://www.vulncheck.com/advisories/openclaw-for… | third-party-advisory |
Impacted products
Date Public
2026-04-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T13:33:12.331380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T13:33:53.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.3.31",
"status": "affected",
"version": "2026.3.22",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2026.3.31",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.3.31",
"versionStartIncluding": "2026.3.22",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "smaeljaish771"
},
{
"lang": "en",
"type": "finder",
"value": "KeenSecurityLab"
}
],
"datePublic": "2026-04-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T23:08:14.023Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-h43v-27wg-5mf9)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/4ee742174f36b5445703e3b1ef2fbd6ae6700fa4"
},
{
"name": "VulnCheck Advisory: OpenClaw 2026.3.22 \u003c 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-forged-nostr-dm-pairing-state-creation-via-signature-verification-bypass"
}
],
"tags": [
"x_open-source"
],
"title": "OpenClaw 2026.3.22 \u003c 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41301",
"datePublished": "2026-04-20T23:08:14.023Z",
"dateReserved": "2026-04-20T14:01:13.151Z",
"dateUpdated": "2026-04-21T13:33:53.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41431 (GCVE-0-2026-41431)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:55 – Updated: 2026-05-11 18:31
VLAI
Title
Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
Summary
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Severity
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
| https://github.com/zen-browser/desktop/commit/270… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.9b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41431",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:31:13.968267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:31:38.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.9b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:55:10.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
},
{
"name": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e"
}
],
"source": {
"advisory": "GHSA-qpj9-m8jc-mw6q",
"discovery": "UNKNOWN"
},
"title": "Zen Browser MAR updater ships with signature verification removed \u2014 unsigned updates accepted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41431",
"datePublished": "2026-05-11T16:55:10.814Z",
"dateReserved": "2026-04-20T15:32:33.814Z",
"dateUpdated": "2026-05-11T18:31:38.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41669 (GCVE-0-2026-41669)
Vulnerability from cvelistv5 – Published: 2026-05-07 03:00 – Updated: 2026-05-07 13:52
VLAI
Title
Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed
Summary
Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective — unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9.
Severity
8.2 (High)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Admidio/admidio/security/advis… | x_refsource_CONFIRM |
| https://github.com/Admidio/admidio/releases/tag/v5.0.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:52:11.824634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:52:49.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "admidio",
"vendor": "Admidio",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective \u2014 unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:00:29.816Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg"
},
{
"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
}
],
"source": {
"advisory": "GHSA-25cw-98hg-g3cg",
"discovery": "UNKNOWN"
},
"title": "Admidio: SAML Signature Validation Result Ignored \u2014 Forged AuthnRequests and LogoutRequests Processed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41669",
"datePublished": "2026-05-07T03:00:29.816Z",
"dateReserved": "2026-04-22T03:53:24.405Z",
"dateUpdated": "2026-05-07T13:52:49.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42193 (GCVE-0-2026-42193)
Vulnerability from cvelistv5 – Published: 2026-05-08 21:12 – Updated: 2026-05-11 18:06
VLAI
Title
Plunk: SNS webhook forgery
Summary
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
Severity
9.1 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/useplunk/plunk/security/adviso… | x_refsource_CONFIRM |
| https://github.com/useplunk/plunk/releases/tag/v0.9.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:05:40.960607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:06:33.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "plunk",
"vendor": "useplunk",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:12:26.450Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53"
},
{
"name": "https://github.com/useplunk/plunk/releases/tag/v0.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/useplunk/plunk/releases/tag/v0.9.0"
}
],
"source": {
"advisory": "GHSA-9792-w86v-gx53",
"discovery": "UNKNOWN"
},
"title": "Plunk: SNS webhook forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42193",
"datePublished": "2026-05-08T21:12:26.450Z",
"dateReserved": "2026-04-25T01:53:21.584Z",
"dateUpdated": "2026-05-11T18:06:33.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42602 (GCVE-0-2026-42602)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:12 – Updated: 2026-05-14 12:52
VLAI
Title
azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
Summary
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
Severity
8.1 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.124.0, <= 0.150.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:51:31.756562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:52:53.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.124.0, \u003c= 0.150.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector\u0027s configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension\u0027s Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client\u0027s token to the result with string equality \u2014 and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:12:18.936Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-pjv4-3c63-699f"
}
],
"source": {
"advisory": "GHSA-pjv4-3c63-699f",
"discovery": "UNKNOWN"
},
"title": "azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42602",
"datePublished": "2026-05-13T20:12:18.936Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-14T12:52:53.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.