CVE-2026-41860

CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelpercreateasyncendpoint and sendhttpgetrequestsynchronous hard-code OpenSSL::SSL::VERIFYNONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH...

CVE-2026-39831 Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

CVE-2026-29132

CVE-2026-29132 affects SEPPmail Secure Email Gateway prior to 15.0.3. An attacker who has access to a victim’s GINA account can bypass a second-password check and read protected emails. The vulnerability is documented across multiple feeds (NVD/Red Hat/EUVD/CIRCL, etc.), consistently stating the ...

GHSA-Q67F-28XG-22RW Forge has signature forgery in Ed25519 due to missing S > L check

Summary Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order S = L. A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify OpenSSL-backed rejects the S + L variant, as defined by the...

CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49365

The CVE-2024-49365 issue affects tiny-secp256k1 prior to 1.1.7, where in environments using the Node buffer package, Buffer.isBuffer can be bypassed and a crafted JSON-stringifiable object could be accepted by verify(), potentially causing false-positive True values. The root cause is a vulnerabi...

tiny-secp256k1 allows for verify() bypass when running in bundled environment

Summary A malicious JSON-stringifyable message can be made passing on verify, when global Buffer is buffer package Details This affects only environments where require'buffer' is E.g.: browser bundles, React Native apps, etc. Buffer.isBuffer check can be bypassed, resulting in strange objects bei...

GHSA-5VHG-9XG4-CV9M tiny-secp256k1 allows for verify() bypass when running in bundled environment

Summary A malicious JSON-stringifyable message can be made passing on verify, when global Buffer is buffer package Details This affects only environments where require'buffer' is E.g.: browser bundles, React Native apps, etc. Buffer.isBuffer check can be bypassed, resulting in strange objects bei...

UBUNTU-CVE-2020-3811

qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability...