8 matches found
CVE-2026-23966 sm-crypto Affected by Private Key Recovery in SM2-PKE
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can...
CVE-2026-23967 sm-crypto Affected by Signature Malleability in SM2-DSA
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a...
@3w5h/knowledge_query (=1.0.30), @3w5h/utils (>=1.0.0 <=1.0.7) +576 more potentially affected by CVE-2026-23965 via sm-crypto (>=0.0.9 <=0.3.8)
sm-crypto NPM version =0.0.9, =1.0.0, =0.1.0, =4.4.42, =0.0.2, =2.2.6, =2.2.6, =2.2.6, =2.3.10, =2.1.4, =2.2.6, =2.2.6, =2.2.6, =2.1.15, =2.3.9 and more Source cves: CVE-2026-23965 Source advisory: OSV:GHSA-HPWG-XG7M-3P6M...
@3w5h/knowledge_query (=1.0.30), @3w5h/utils (>=1.0.0 <=1.0.7) +576 more potentially affected by CVE-2026-23965 via sm-crypto (>=0.0.9 <=0.3.8)
sm-crypto NPM version =0.0.9, =1.0.0, =0.1.0, =4.4.42, =0.0.2, =2.2.6, =2.2.6, =2.2.6, =2.3.10, =2.1.4, =2.2.6, =2.2.6, =2.2.6, =2.1.15, =2.3.9 and more Source cves: CVE-2026-23965 Source advisory: SNYK:JS-SMCRYPTO-15054484...
@arkxos/arkos-app-gateway-manage (=0.1.0), @arkxos/arkos-app-system (>=0.1.0 <=0.1.1) +80 more potentially affected by CVE-2026-23967 via sm-crypto (>=0.0.9 <=0.3.13)
sm-crypto NPM version =0.0.9, =0.1.0, =1.0.30, =0.1.26, =1.0.0, =1.0.0, =1.0.9, =1.0.1, =1.1.1, =3.0.0, =4.0.0, =4.3.0 and more Source cves: CVE-2026-23967 Source advisory: OSV:GHSA-QV7W-V773-3XQM...
cn.herodotus.engine:oauth2-authentication-autoconfigure (>=3.5.5.3 <=3.5.6.2), cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.3.0.5 <=3.5.5.2) +2 more potentially affected by CVE-2026-23967 via org.webjars.npm:sm-crypto (=0.3.13)
org.webjars.npm:sm-crypto MAVEN version =0.3.13 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:sm-crypto and may be impacted: - cn.herodotus.engine:oauth2-authentication-autoconfigure =3.5.5.3, =3.3.0.5, =3.3.0.5, =3.5.5.3, =3.5.6.2...
cn.herodotus.engine:oauth2-authentication-autoconfigure (>=3.5.5.3 <=3.5.6.2), cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.3.0.5 <=3.5.5.2) +2 more potentially affected by CVE-2026-23966 via org.webjars.npm:sm-crypto (=0.3.13)
org.webjars.npm:sm-crypto MAVEN version =0.3.13 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:sm-crypto and may be impacted: - cn.herodotus.engine:oauth2-authentication-autoconfigure =3.5.5.3, =3.3.0.5, =3.3.0.5, =3.5.5.3, =3.5.6.2...
sm-crypto Affected by Private Key Recovery in SM2-PKE
Summary A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Credit This vulnerability was discovered...