Security Bulletin: Due to use of node-forge-1.3.1.tgz, IBM Sterling Connect:Direct Web Services is affected by Denial of Service (DoS).

Summary node-forge-1.3.1.tgz is used by IBM Sterling Connect:Direct Web Services CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896. Vulnerability Details CVEID:CVE-2026-33891 DESCRIPTION: Forge also called node-forge is a native implementation of Transport Layer Security in JavaScrip...

ExAws.SNS 安全漏洞

ExAws.SNS is an open-source AWS SNS message push service module developed by ex-aws. Versions of ExAws.SNS from 2.0.1 to 2.3.5 contained security vulnerabilities. These vulnerabilities were caused by improper certificate verification, which could lead to signature forgery...

PT-2026-44170

Found a vulnerability and got a CVE assigned CVE-2026-48747 The flaw is a Signature Algorithm Downgrade in the mailomat-mailer component, allowing an attacker to achieve complete Signature Forgery. https://t.co/NfV1wHdO9w CVE Symfony AppSec BugBounty...

Astra Linux - уязвимость в gnupg2

GnuPG versions up to 2.3.6 allow for signature forgery in unusual situations where an attacker possesses secret-key information from a victim’s keyring, and other constraints such as the use of GPGME are met. This can be achieved by injecting malicious data into the command line’s status line...

Astra Linux - уязвимость в node-browserify-sign

“browserify-sign” is a package that duplicates the functionality of Node’s crypto public key functions. Much of this functionality is based on Fedor Indutny’s work on “indutny/tls.js”. There is a issue with upper-bound checking in the “dsaVerify” function, which allows an attacker to create...

Astra Linux - уязвимость в poppler, poppler-22

NSSCryptoSignBackend.cc in Poppler before version 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, which can lead to potential signature forgeries...

Astra Linux - уязвимость в libreoffice

LibreOffice supports digital signatures for ODF documents and macros within documents. It provides visual indicators that confirm that the document has not been altered since the last signature, and that the signature is valid. A vulnerability in certificate validation in LibreOffice allowed...

CVE-2023-7345

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can...

CVE-2026-8596

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for special...

CVE-2026-8596

CVE-2026-8596: The ModelBuilder/Serve path in the Amazon SageMaker Python SDK stores the HMAC signing key in cleartext. A remote, authenticated actor with SageMaker describe API permissions and S3 write access to the model artifact path could extract the key from API responses and forge integrity...

PT-2026-41117

Name of the Vulnerable Software and Affected Versions Amazon SageMaker Python SDK versions prior to 2.257.2 Amazon SageMaker Python SDK versions prior to 3.8.0 Description The ModelBuilder/Serve component stores sensitive information in cleartext. A remote authenticated actor with permissions to...

Amazon SageMaker Python SDK 安全漏洞

Amazon SageMaker Python SDK is a development toolkit provided by Amazon, Inc., for building, training, and deploying machine learning models. Versions of the Amazon SageMaker Python SDK prior to v2.257.2 and v3.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the...

cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

A validation flaw has been discovered in the python cryptography package. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification ECDSA and...

cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

A validation flaw has been discovered in the python cryptography package. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification ECDSA and...

Security Bulletin: cryptography Missing Subgroup Validation in EC Public Keys Enables ECDH Key Leakage and ECDSA Forgery

Summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the publickeyfromnumbers or EllipticCurvePublicNumbers.publickey, EllipticCurvePublicNumbers.publickey, loadderpublickey and loadpempublickey functions do not verify th...

cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

A validation flaw has been discovered in the python cryptography package. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification ECDSA and...

Amazon tough 数据伪造问题漏洞

Amazon Tough is a Rust client library for The Update Framework TUF by Amazon Inc. Versions of Amazon Tough prior to v0.22.0 contained a data manipulation vulnerability. This vulnerability stemmed from improper validation of the encryption signature uniqueness during delegated role verification. A...

CVE-2026-33471

nimiq-block contains block primitives to be used in Nimiq's Rust implementation. SkipBlockProof::verify computes its quorum check using BitSet.len, then iterates BitSet indices and casts each usize index to u16 slot as u16 for slot lookup. Prior to version 1.3.0, if an attacker can get a...

CVE-2026-5466

wolfSSL's ECCSI signature verifier wcVerifyEccsiHash decodes the r and s scalars from the signature blob via mpreadunsignedbin with no check that they lie in 1, q-1. A crafted forged signature could verify against any message for any identity, using only publicly-known constants...

Improper Verification Of Cryptographic Signature

node-forge is vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is due to insufficient validation of RSASSA PKCS1 v1.5 signatures allowing malformed ASN structures and inadequate padding checks, which allows an attacker to forge valid signatures and bypass signatur...