16 matches found
CVE-2026-50108
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...
CVE-2026-44308
Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support @NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping did n...
CVE-2026-40070
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClientacquirecertificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisitionprotocol: 'direct', the caller supplies all...
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
Unverified certifier signatures persisted by acquirecertificate Affected packages Both bsv-sdk and bsv-wallet are published from the sgbett/bsv-ruby-sdk repository. The vulnerable code lives in lib/bsv/walletinterface/walletclient.rb, which is physically shipped inside both gems the...
CVE-2026-40070 bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClientacquirecertificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisitionprotocol: 'direct', the caller supplies all...
CVE-2026-40070
The CVE-2026-40070 entry affects the BSV Ruby SDK (0.3.1–before 0.8.2). The vulnerability is in BSV::Wallet::WalletClient#acquire_certificate, which persists certificate records to storage without verifying the certifier’s signature in both acquisition_protocol paths: direct (caller-supplied fiel...
CVE-2026-40070 bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClientacquirecertificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisitionprotocol: 'direct', the caller supplies all...
CVE-2026-32883
A flaw was found in Botan. A remote attacker could exploit a vulnerability in the X509 path validation process where the signature of Online Certificate Status Protocol OCSP responses was not verified. This omission allows an attacker to provide forged OCSP responses, potentially leading to the...
CVE-2026-23518
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not...
SUSE-SU-2026:20080-1 Security update for gpg2
This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption bsc1255715. Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures bsc1256246. - gpg...
Unity Linux 20.1070e Security Update: poppler (UTSA-2025-993337)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993337 advisory. NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. Tenable ha...
CVE-2025-36747
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmwar...
CVE-2025-65295
The CVE-2025-65295 affects Aqara Hub family (Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, Hub M3 4.3.6_0025). Root cause: firmware update process fails to validate signatures and uses outdated cryptographic methods, enabling forged signatures and potential malicious firmware installation. Additio...
CarlinKit CPC200-CCPA 数据伪造问题漏洞
CarlinKit CPC200-CCPA is a wireless CarPlay and Android Auto adapter from CarlinKit. The CarlinKit CPC200-CCPA suffers from a Data Forgery Issue vulnerability that stems from update.cgi processing update packages without verifying cryptographic signatures, which could lead to arbitrary code...
PT-2024-34157 · Laravel · Laravel Reverb
Name of the Vulnerable Software and Affected Versions: Laravel Reverb versions prior to 1.4.0 Description: The issue is related to unverified verification signatures for requests sent to Reverb's Pusher-compatible API. This API is used for scenarios such as broadcasting messages or obtaining...
libreoffice: Content Manipulation with Certificate Validation Attack
A flaw was found in LibreOffice, where it improperly validated signatures for algorithms that were not verified. This flaw leads to LibreOffice presenting a valid signature when the validity of the signature was not verified. The highest threat from this vulnerability is to confidentiality and...