Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

Zoom WordPress plugin 4.6.6 contains a broken authentication caused by disabled nonce verification in an AJAX handler, letting unauthenticated attackers generate valid Zoom SDK signatures and retrieve the Zoom SDK key. id: CVE-2026-1368 info: name: Video Conferencing with Zoom API 4.6.6 -...

EUVD-2026-39597

The Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the...

EUVD-2026-39581

PKCS7verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted...

DEBIAN-CVE-2026-7511

PKCS7verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted...

CVE-2026-7511

PKCS7verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted...

CVE-2026-11800

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...

CVE-2026-7511

PKCS7verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted...

CVE-2026-7511

Technical details are not publicly available in the provided documents for CVE-2026-7511. Monitor for updates from vendors and CERT advisories to learn affected products, versions, impact, and remediation.

CVE-2026-6450

A CRL critical extension bypass exists in ParseCRLExtensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where a crafted CRL had a trusted signature when pars...

CVE-2026-46349

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to...

CVE-2026-48028

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...

CVE-2026-50128

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

CVE-2026-50128 Mastodon: Spoofing of attribution domains

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

CVE-2026-50128

Mastodon vulnerability CVE-2026-50128 affects versions 4.3.0 through 4.5.11 and 4.4.18, where an error in the attributionDomains JSON-LD handling allows an attacker to arbitrarily modify the attributionDomains value on a legitimately signed Update and bypass signature verification. This can under...

CVE-2026-48028

Mastodon (open-source social network server) versions prior to 4.5.10, 4.4.17, and 4.3.23 are affected. The vulnerability arises from how incoming activities signed with Linked-Data Signatures are normalized, failing to adequately protect against a class of spoofing that lets an attacker remove J...

CVE-2026-56244

Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to...

Linux Distros Unpatched Vulnerability : CVE-2026-48990

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joser...

Astra Linux – Vulnerability in LibreOffice

LibreOffice supports digital signatures for ODF documents and macros within documents. It provides visual aids to indicate that the document has not been altered since the last signature, and that the signature is valid. A vulnerability in certificate validation in LibreOffice allowed attackers t...

Astra Linux – Vulnerability in LibreOffice

LibreOffice supports digital signatures for ODF documents and macros within documents. It provides visual indicators that confirm that the document has not been altered since the last signature, and that the signature is valid. A vulnerability in certificate validation in LibreOffice allowed...

Astra Linux – Vulnerability in nss, Thunderbird

Versions of NSS Network Security Services prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications that use NSS to handle signatures encoded within CMS, S/MIME, PKCS \7, or PKCS \12 are likely to be affected. Applications that...