DataEase v2.10.2 - JWT Signature Verification Bypass

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The...

Keycloak - SAML Core Package Signature Validation Flaw

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Referen...

MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on...

CVE-2026-48990

A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption JOSE. This vulnerability allows a remote attacker to cause resource exhaustion, leading to a Denial of Service DoS, by sending oversized JSON Web Signature JWS payloads. The library fails to apply size limits,...

Siemens RUGGEDCOM RST2428P Infinite Loop (CVE-2026-23220)

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix infinite loop caused by nextsmb2rcvhdroff reset in error paths The problem occurs when a signed request fails smb2 signature verification check. In processrequest, if checksignreq returns an error, setsmb2rspstatuswork...

EUVD-2026-37552

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listingloadmore AJAX handler accepts a filteredquery parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However,...

PT-2026-50551

Name of the Vulnerable Software and Affected Versions joserfc versions 1.3.4 through 1.6.5 Description joserfc is a Python library implementing JSON Object Signing and Encryption JOSE standards. The library fails to apply the JWSRegistry.max payload length limit when processing RFC7797 b64=false...

EUVD-2026-37016

Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign on a Key object picks a nonce, and every later sign on that same object...

CVE-2026-12205

Crypt::DSA for Perl versions before 1.21 reuse the per-signature nonce across signatures because the sign() function caches nonce data in the Key object and does not clear it. The first sign() selects a nonce and later signs reuse that nonce, producing identical r values, enabling potential priva...

CVE-2026-12205

Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign on a Key object picks a nonce, and every later sign on that same object...

CVE-2026-52694

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce = 2.0 versions...

CVE-2026-52694 WordPress Signature Add-On for WooCommerce plugin <= 2.0 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce = 2.0 versions...

CVE-2026-52694 WordPress Signature Add-On for WooCommerce plugin <= 2.0 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce = 2.0 versions...

EUVD-2026-36901

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce = 2.0 versions...

CVE-2026-52694

CVE-2026-52694 concerns the WordPress Signature Add-On for WooCommerce plugin, affected versions

GHSA-JQ35-7PRP-9V3F PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

!NOTE Scored assuming a deployment where algorithm policy functions as an authentication/authorization boundary. In deployments where the algorithm policy enforces crypto agility only, the practical confidentiality impact is lower and the issue is closer to an integrity-of-policy-enforcement bug...

GHSA-RRJ9-5Q2J-4GVR Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Description Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature parses the X-MOM-Webhook-Signature request header as algo=signature and passes the wire-supplied $algo directly to hashhmac when verifying the request against the configured webhook secret. The...

Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Description Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature parses the X-MOM-Webhook-Signature request header as algo=signature and passes the wire-supplied $algo directly to hashhmac when verifying the request against the configured webhook secret. The...

MAL-2026-5791 Malicious code in mddriver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56 On require'mddriver', an IIFE in index.js invokes loadTokenData, which fetches https://www.jsonkeeper.com/b/C4H0M stored base64-encoded as...

PT-2026-49519

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce = 2.0 versions...