EUVD-2025-7706

Malicious code in bioql PyPI...

sequoia-openpgp 安全漏洞

sequoia-openpgp is a Rust library from the individual developer of sequoia-openpgp. A security vulnerability exists in sequoia-openpgp versions prior to 1.21.0, which stems from providing a low-level interface to the OpenPGP implementation that could lead to an infinite loop...

ROS-20250717-04

A vulnerability in the Thunderbird email client is related to errors in processing OpenPGP cryptographic signatures. Exploitation of the vulnerability could allow a remote attacker to launch a spoofing attack Vulnerability in the implementation of S/MIME Secure/Multipurpose Internet Mail Extensio...

CVE-2023-41037

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorit...

CVE-2025-47934

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result...

@jamietanna/patch-testing (>=0.1.0 <=0.2.28), @jamietanna/renovate-graph (>=0.24.0 <=0.30.0) +5 more potentially affected by CVE-2025-47934 via openpgp (>=6.0.0 <=6.1.0)

openpgp NPM version =6.0.0, =0.1.0, =0.24.0, =0.5.2, =7.2.5, =0.40.0, =2.0.0, =39.15.1, =41.0.0-next.22 Source cves: CVE-2025-47934 Source advisory: OSV:GHSA-8QFF-QR5Q-5PR8...

@adebaraayomide/synchro_sdk (>=0.0.3 <=0.1.0-synchro-sdk), @bitgo-beta/abstract-cosmos (>=1.0.0-alpha.24 <=1.0.1-beta.867) +215 more potentially affected by CVE-2025-47934 via openpgp (>=5.0.1 <=5.11.2)

openpgp NPM version =5.0.1, =0.0.3, =1.0.0-alpha.24, =1.0.2-beta.339, =1.0.0, =1.0.0, =1.1.1-beta.343, =2.20.1-beta.335, =14.2.1-beta.335, =0.0.1-beta.219, =1.6.1-alpha.75, =2.2.3-alpha.75, =1.3.3-alpha.75, =1.0.0, =1.0.0, =1.1.2-alpha.55, =3.1.2-beta.883 and more Source cves: CVE-2025-47934 Sour...

CVE-2025-47934 OpenPGP.js's message signature verification can be spoofed

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result...

CVE-2025-26696

A flaw was found in Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted...

CVE-2025-26695

When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8...

CVE-2024-53857

rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys...

Mozilla Thunderbird ESR Security Update (MFSA2024-61) - Windows

Mozilla Thunderbird ESR is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

@emiliogonzalezpe/comp (>=1.6.0 <=1.6.1), @monax/hoard (>=9.0.0-dev.5644f38 <=9.1.0) +80 more potentially affected by CVE-2023-41037 via openpgp (>=0.11.1 <=4.10.10)

openpgp NPM version =0.11.1, =1.6.0, =9.0.0-dev.5644f38, =1.0.1, =0.0.1, =1.6.0, =1.4.0, =1.6.0, =0.0.0-semantic-release, =0.4.2, =0.0.1, =0.1.0, =0.3.0 and more Source cves: CVE-2023-41037 Source advisory: OSV:GHSA-CH3C-V47X-4PGP...

@blackdark/hashicorp-js-releases (=1.4.7), @cythral/renovate (>=0.1.6 <=0.1.7) +6 more potentially affected by CVE-2023-41037 via openpgp (>=5.0.0 <=5.0.1)

openpgp NPM version =5.0.0, =0.1.6, =1.1.15, =1.1.46, =1.32.0, =27.10.0, =1.35.0, =1.29.0, =1.30.0 Source cves: CVE-2023-41037 Source advisory: OSV:GHSA-CH3C-V47X-4PGP...

CVE-2022-2226

An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an...

pgpbuilder (>=0.3.6 <=0.6.0), pgpmailer (>=0.3.8 <=0.9.1) +5 more potentially affected by CVE-2015-8013 via openpgp (>=0.11.1 <=0.8.2)

openpgp NPM version =0.11.1, =0.3.6, =0.3.8, =0.0.1, =0.1.0, =0.5.6, =0.15.0, =0.24.1 Source cves: CVE-2015-8013 Source advisory: OSV:GHSA-QMVQ-F3FJ-M3WG...

OPENSUSE-SU-2022:0058-1 Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 91.4.1 - CVE-2021-4126: OpenPGP signature status doesn't consider additional message content. bsc1194215 - CVE-2021-44538: Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow...

@app-config/cli (>=2.0.2 <=3.0.0-alpha.6), @app-config/config (>=2.1.0 <=2.9.0-beta.3) +196 more potentially affected by CVE-2019-9155 via openpgp (>=0.11.1 <=4.10.9)

openpgp NPM version =0.11.1, =2.0.2, =2.1.0, =2.1.0, =2.7.0, =2.1.0, =2.8.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.6.0, =2.6.0, =2.8.0, =1.1.0, =1.6.4-rds-3.0 and more Source cves: CVE-2019-9155 Source advisory: OSV:GHSA-77JF-FJJF-XCWW...

Improper Key Verification in openpgp

Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not verify...

CVE-2005-0366

The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback CFB mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is...