149 matches found
CVE-2026-56232
Capgo before 12.128.2 fails to enforce limitedtoorgs and limitedtoapps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the...
CVE-2026-56232
Capgo before 12.128.2 fails to enforce limitedtoorgs and limitedtoapps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the...
EUVD-2026-38739
Capgo before 12.128.2 fails to enforce limitedtoorgs and limitedtoapps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the...
CVE-2026-56232
Capgo is affected: before version 12.128.2, the system does not enforce limited_to_orgs and limited_to_apps on subkeys supplied via the x-limited-key-id header in the middlewareKey function. This allows attackers to reference their own subkeys and bypass subkey scope restrictions, causing downstr...
CVE-2026-56306
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...
CVE-2026-56306
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...
EUVD-2026-38369
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...
CVE-2026-56306 Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...
CVE-2026-56306
Capgo before 12.128.2 contains a parsing vulnerability in the x-limited-key-id header that can bypass subkey enforcement and let attackers make requests under the main API key context instead of restricted subkey permissions. The issue arises from malformed, zero, or duplicate header values produ...
PT-2026-51407
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A weak parsing issue exists in the x-limited-key-id header. Remote attackers can bypass subkey enforcement by submitting duplicate headers, zero, or malformed values that result in falsy values or N...
Astra Linux – Vulnerability in Thunderbird
An attacker may carry out a DoS attack to prevent a user from sending encrypted emails to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self-signature, and the Thunderbird user imports the crafted key, then Thunderbird may attempt to use the inval...
Astra Linux – Vulnerability in Thunderbird
If a Thunderbird user has previously imported Alice’s OpenPGP key, and Alice has extended the validity period of her key, but Alice’s updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice’s key with an invalid subkey. In this case, Thunderbird...
CLSA-2026-1777545003 rpm: Fix of CVE-2021-3521
CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...
CLSA-2026-1777539405 rpm: Fix of CVE-2021-3521
CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...
CLSA-2026-1777539108 rpm: Fix of CVE-2021-3521
CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...
CLSA-2026-1776159098 Fix CVE(s): CVE-2025-30258
SECURITY UPDATE: signature verification DoS via malicious subkey - debian/patches/CVE-2025-30258.patch: require signing usage when looking up public key for signature verification, filtering out subkeys without valid backsig. Include upstream regression fixes to preserve verification of signature...
CLSA-2026-1775119189 gnupg2: Fix of CVE-2025-30258
CVE-2025-30258: fix verification DoS due to a malicious subkey in the keyring...
CLSA-2026-1774612633 gnupg2: Fix of CVE-2025-30258
CVE-2025-30258: fix verification DoS due to a malicious subkey in the keyring...
EulerOS Virtualization 2.12.1 : gnupg2 (EulerOS-SA-2026-1427)
According to the versions of the gnupg2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In GnuPG before 2.4.9, armorfilter in g10/armor.c has two increments of an index variable where one is intended, leading to an...
CLSA-2026-1772571803 munge: Fix of CVE-2026-25506
CVE-2026-25506: fix buffer overflow in message parsing and add bounds checks and input validation for address length; prevent leak of cryptographic MAC subkey and forging of arbitrary credentials...