EUVD-2025-16666

Malicious code in bioql PyPI...

EUVD-2025-16676

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-48994

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared...

Linux Distros Unpatched Vulnerability : CVE-2025-48995

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared...

Timing Side-channel Attack

signxml is vulnerable to a Timing side-channel attack. The vulnerability is due to information leakage during HMAC comparison when requirex509=False and hmackey is used, allowing attackers to infer the correct HMAC...

GHSA-6VX8-PCWV-XHF4 SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature...

alertwise (=1.0.0), aos-signer (>=0.0.6 <=1.8.0b9) +15 more potentially affected by CVE-2025-48994 via signxml (>=2.10.1 <=4.0.2)

signxml PYPI version =2.10.1, =0.0.6, =0.5.1, =1.0.0, =0.5.1, =1.1.0, =0.1.0, =1.4.0, =2.0.0, =1.0.0, =0.5.3, =0.5.27, =1.5.3, =1.6.3 and more Source cves: CVE-2025-48994 Source advisory: OSV:GHSA-6VX8-PCWV-XHF4...

GHSA-GMHF-GG8W-JW42 SignXML's signature verification with HMAC is vulnerable to a timing attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing...

alertwise (=1.0.0), aos-signer (>=0.0.6 <=1.8.0b9) +15 more potentially affected by CVE-2025-48995 via signxml (>=2.10.1 <=4.0.2)

signxml PYPI version =2.10.1, =0.0.6, =0.5.1, =1.0.0, =0.5.1, =1.1.0, =0.1.0, =1.4.0, =2.0.0, =1.0.0, =0.5.3, =0.5.27, =1.5.3, =1.6.3 and more Source cves: CVE-2025-48995 Source advisory: OSV:GHSA-GMHF-GG8W-JW42...

SignXML's signature verification with HMAC is vulnerable to a timing attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing...

CVE-2025-48995

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

CVE-2025-48994

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

alertwise (=1.0.0) potentially affected by CVE-2025-48995 via signxml (=4.0.2)

signxml PYPI version =4.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on signxml and may be impacted: - alertwise =1.0.0 Source cves: CVE-2025-48995 Source advisory: SNYK:PYTHON-SIGNXML-10303872...

Timing Attack

Overview signxml is a Python XML Signature and XAdES library Affected versions of this package are vulnerable to Timing Attack due to the verify function in XMLVerifier. An attacker can infer the correct HMAC used for XML signature verification by observing the time it takes to compare the comput...

CVE-2025-48995

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

DEBIAN-CVE-2025-48995

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

DEBIAN-CVE-2025-48994

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

CVE-2025-48994

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

UBUNTU-CVE-2025-48995

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

UBUNTU-CVE-2025-48994

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...