github.com/russellhaering/goxmldsig is vulnerable to signature validation bypass. An attacker is able to bypass the signature validation using a malicious XML file input and submit a manipulated file as signed one.
github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
lists.fedoraproject.org/archives/list/[email protected]/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/
lists.fedoraproject.org/archives/list/[email protected]/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/
pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview