Lucene search
K

163 matches found

NVD
NVD
added 6 days ago8 views

CVE-2026-54780

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, the CoreWCF WS-Security 1.0 receive pipeline validates ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite but does not validate each ds:Reference...

3.7CVSS0.00157EPSS
Exploits0References6
NVD
NVD
added 6 days ago7 views

CVE-2026-54773

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security signature verification performs a document-wide ds:Signature lookup, allowing an unauthenticated remote attacker to place a SOAP header before wsse:Security an...

5.9CVSS0.00238EPSS
Exploits0References6
Cvelist
Cvelist
added 6 days ago32 views

CVE-2026-54783 CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security endorsing and supporting signature verification does not ensure the selected ds:Signature covers the expected Security header target, allowing an attacker with...

7.4CVSS0.00143EPSS
Exploits0References6
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-54780 CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, the CoreWCF WS-Security 1.0 receive pipeline validates ds:SignedInfo SignatureMethod against the configured SecurityAlgorithmSuite but does not validate each ds:Reference...

3.7CVSS0.00157EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/19 8:47 p.m.7 views

Improper Verification of Cryptographic Signature

Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in...

9.1CVSS6AI score0.00143EPSS
Exploits0References3
OSV
OSV
added 2026/06/19 8:47 p.m.6 views

GHSA-GQV6-PWCG-87R8 CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages

Impact The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays setting on transport-securit...

7.4CVSS6AI score0.00143EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.9 views

CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass

Impact CoreWCF’s WS-Security 1.0 receive pipeline validates the SignatureMethod of an incoming ds:SignedInfo against the configured SecurityAlgorithmSuite, but does not validate the DigestMethod declared on each ds:Reference. As a result, a sender can populate ds:SignedInfo with SignatureMethod...

3.7CVSS5.8AI score0.00157EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 8:46 p.m.6 views

CoreWCF: WS-Security signature substitution via document-wide Signature lookup

Impact An unauthenticated remote attacker who can place a SOAP header lexically before wsse:Security can embed a ds:Signature of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header. Preconditions...

5.9CVSS5.9AI score0.00238EPSS
Exploits0References2Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/16 8:4 p.m.16 views

Security Bulletin: IBM WebSphere Application Server is affected by a remote code execution vulnerability (CVE-2026-9319)

Summary IBM WebSphere Application Server is affected by a remote code execution vulnerability when using JAX-WS endpoints with WS-Security. Vulnerability Details CVEID:CVE-2026-9319 DESCRIPTION: IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to...

9CVSS6.3AI score0.00458EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/06/11 7:16 a.m.9 views

UBUNTU-CVE-2026-40994

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

8.2CVSS5.2AI score0.00229EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/11 5:4 a.m.32 views

CVE-2026-40996 Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag...

4.8CVSS0.00129EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 5:4 a.m.39 views

CVE-2026-40996

CVE-2026-40996 affects Spring Web Services where Wss4jSecurityInterceptor incorrectly defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer validation behavior for RequestData. This could allow RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material in inbound WS-Security dec...

4.8CVSS5.5AI score0.00129EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:3 a.m.11 views

EUVD-2026-36204

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

8.2CVSS5.5AI score0.00229EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/10 12:0 a.m.9 views

Use of RSA Algorithm without OAEP

Overview Affected versions of this package are vulnerable to Use of RSA Algorithm without OAEP via the Wss4jSecurityInterceptor class, in the Wss4jSecurityInterceptor.java file due to defaulting allowRSA15KeyTransportAlgorithm to true when building the validation RequestData. This overrides Apach...

6.3CVSS5.4AI score0.00129EPSS
Exploits0References2
NVD
NVD
added 2026/06/01 7:16 p.m.15 views

CVE-2026-9319

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

9CVSS0.00458EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/01 5:59 p.m.11 views

CVE-2026-9319

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

9CVSS6.5AI score0.00458EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/01 5:59 p.m.8 views

CVE-2026-9319 IBM WebSphere Application Server is affected by a remote code execution vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

9CVSS6.5AI score0.00458EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2010-3186

Malware in sbrugna...

10CVSS6.3AI score0.02605EPSS
Exploits0References10
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2013-3984

Malware in sbrugna...

6.8CVSS8.9AI score0.01256EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2007-0411

Malware in sbrugna...

6.8CVSS6.4AI score0.00821EPSS
Exploits0References7
Rows per page
Query Builder