CVE-2026-31839

Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/striae-org/striae/releases/tag/v3.0.0	Release Notes
https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:striae:striae:*:*:*:*:*:node.js:*:*

History

20 Mar 2026, 16:56

Type	Values Removed	Values Added
Summary		(es) Striae es un compañero de comparación para examinadores de armas de fuego. Existía una vulnerabilidad de omisión de integridad de alta gravedad en el flujo de trabajo de confirmación digital de Striae antes de la v3.0.0. La validación solo por hash confiaba en los campos de hash del manifiesto que podían ser modificados junto con el contenido del paquete, permitiendo que los paquetes de confirmación manipulados pasaran las comprobaciones de integridad. Esta vulnerabilidad está corregida en la 3.0.0.
First Time		Striae striae Striae
CPE		cpe:2.3:a:striae:striae::::::node.js::*
References	~~() https://github.com/striae-org/striae/releases/tag/v3.0.0 -~~	() https://github.com/striae-org/striae/releases/tag/v3.0.0 - Release Notes
References	~~() https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m -~~	() https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m - Vendor Advisory

11 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 17:16

Updated : 2026-03-20 16:56

NVD link : CVE-2026-31839

Mitre link : CVE-2026-31839

CVE.ORG link : CVE-2026-31839

JSON object : View

Products Affected

striae

striae

CWE

CWE-354

Improper Validation of Integrity Check Value

{"id": "CVE-2026-31839", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-11T17:16:58.270", "references": [{"url": "https://github.com/striae-org/striae/releases/tag/v3.0.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-354"}]}], "descriptions": [{"lang": "en", "value": "Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0."}, {"lang": "es", "value": "Striae es un compa\u00f1ero de comparaci\u00f3n para examinadores de armas de fuego. Exist\u00eda una vulnerabilidad de omisi\u00f3n de integridad de alta gravedad en el flujo de trabajo de confirmaci\u00f3n digital de Striae antes de la v3.0.0. La validaci\u00f3n solo por hash confiaba en los campos de hash del manifiesto que pod\u00edan ser modificados junto con el contenido del paquete, permitiendo que los paquetes de confirmaci\u00f3n manipulados pasaran las comprobaciones de integridad. Esta vulnerabilidad est\u00e1 corregida en la 3.0.0."}], "lastModified": "2026-03-20T16:56:55.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:striae:striae:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3DECC8C8-51C3-472E-B292-6800B86701C3", "versionEndIncluding": "3.0.0", "versionStartIncluding": "0.9.22"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}