CVE-2026-33895

🗓️ 27 Mar 2026 20:47:54Reported by GitHub_MType

Forge Ed25519 signature forgery due to missing S over L check; fixed in Forge version one point four zero.

Reporter	Title	Published	Views	Family All 45
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution, loss of confidentiality and denial of service	6 May 202613:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge-1.3.2.tgz, node-forge-1.3.3.tgz which is vulnerable to CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896	5 May 202612:43	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of node-forge-1.3.1.tgz, IBM Sterling Connect:Direct Web Services is affected by Denial of Service (DoS).	2 Jun 202612:04	–	ibm
ATTACKERKB	CVE-2026-33895	27 Mar 202620:47	–	attackerkb
Chainguard	CVE-2026-33895 vulnerabilities	31 Mar 202619:17	–	cgr
Circl	CVE-2026-33895	26 Mar 202622:04	–	circl
CNNVD	Digital Bazaar Forge 数据伪造问题漏洞	27 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-33895 Forge has signature forgery in Ed25519 due to missing S > L check	27 Mar 202620:47	–	cvelist
Github Security Blog	Forge has signature forgery in Ed25519 due to missing S > L check	26 Mar 202622:04	–	github
Github Security Blog	StableLib Ed25519 Signature Malleability via Missing S < L Check	1 Apr 202622:13	–	github

NVD

Vulners

Node

digitalbazaar forgeRange≤1.3.3node.js

[
  {
    "vendor": "digitalbazaar",
    "product": "forge",
    "versions": [
      {
        "version": "< 1.4.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw
github	www.github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85
datatracker	www.datatracker.ietf.org/doc/html/rfc8032

14 Apr 2026 01:14Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.17.5

EPSS0.0004

SSVC

CWE-347