Total
655 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52648 | 1 Hcl | 1 Aion | 2026-03-27 | N/A | 4.8 MEDIUM |
| HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks such as integrity compromise or unintended behavior in the system | |||||
| CVE-2026-20699 | 1 Apple | 1 Macos | 2026-03-25 | N/A | 6.2 MEDIUM |
| A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data. | |||||
| CVE-2026-20989 | 1 Samsung | 1 Android | 2026-03-20 | N/A | 2.4 LOW |
| Improper verification of cryptographic signature in Font Settings prior to SMR Mar-2026 Release 1 allows physical attackers to use custom font. | |||||
| CVE-2026-3564 | 2026-03-18 | N/A | 9.0 CRITICAL | ||
| A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios. | |||||
| CVE-2026-27962 | 1 Authlib | 1 Authlib | 2026-03-17 | N/A | 9.1 CRITICAL |
| Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9. | |||||
| CVE-2026-28432 | 1 Misskey | 1 Misskey | 2026-03-13 | N/A | 7.5 HIGH |
| Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1. | |||||
| CVE-2026-22866 | 1 Ens.domains | 1 Ethereum Name Service | 2026-03-13 | N/A | 7.5 HIGH |
| Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. In versions 1.6.2 and prior, the `RSASHA256Algorithm` and `RSASHA1Algorithm` contracts fail to validate PKCS#1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 (or 20) bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery attack against DNS zones using RSA keys with low public exponents (e=3). Two ENS-supported TLDs (.cc and .name) use e=3 for their Key Signing Keys, allowing any domain under these TLDs to be fraudulently claimed on ENS without DNS ownership. Apatch was merged at commit c76c5ad0dc9de1c966443bd946fafc6351f87587. Possible workarounds include deploying the patched contracts and pointing DNSSECImpl.setAlgorithm to the deployed contract. | |||||
| CVE-2025-41767 | 1 Mbs-solutions | 4 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 1 more | 2026-03-11 | N/A | 7.2 HIGH |
| A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR. | |||||
| CVE-2026-3338 | 1 Amazon | 2 Aws-lc-sys, Aws Libcrypto | 2026-03-11 | N/A | 7.5 HIGH |
| Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | |||||
| CVE-2025-15444 | 1 Iamb | 1 Crypt\ | 2026-03-10 | N/A | 9.8 CRITICAL |
| Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability. | |||||
| CVE-2026-28802 | 1 Authlib | 1 Authlib | 2026-03-09 | N/A | 9.8 CRITICAL |
| Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7. | |||||
| CVE-2025-65945 | 1 Auth0 | 1 Node-jws | 2026-03-09 | N/A | 7.5 HIGH |
| auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1. | |||||
| CVE-2026-0750 | 1 Verifone | 1 Commerce Paybox | 2026-03-09 | N/A | 7.5 HIGH |
| Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5. | |||||
| CVE-2024-52958 | 1 Gss | 1 Iota C.ai | 2026-03-06 | N/A | 7.2 HIGH |
| A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function. | |||||
| CVE-2018-5383 | 3 Apple, Google, Ti | 4 Iphone Os, Mac Os X, Android and 1 more | 2026-03-05 | 4.3 MEDIUM | 6.8 MEDIUM |
| Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. | |||||
| CVE-2026-27445 | 1 Seppmail | 1 Seppmail | 2026-03-05 | N/A | 5.3 MEDIUM |
| SEPPmail Secure Email Gateway before version 15.0.1 does not properly verify that a PGP signature was generated by the expected key, allowing signature spoofing. | |||||
| CVE-2026-2746 | 1 Seppmail | 1 Seppmail | 2026-03-05 | N/A | 5.3 MEDIUM |
| SEPPmail Secure Email Gateway before version 15.0.1 does not properly communicate PGP signature verification results, leaving users unable to detect forged emails. | |||||
| CVE-2025-12150 | 1 Redhat | 2 Build Of Keycloak, Keycloak | 2026-03-05 | N/A | 3.1 LOW |
| A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration. | |||||
| CVE-2026-23518 | 1 Fleetdm | 1 Fleet | 2026-02-27 | N/A | 9.8 CRITICAL |
| Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | |||||
| CVE-2026-23967 | 1 Juneandgreen | 1 Sm-crypto | 2026-02-25 | N/A | 7.5 HIGH |
| sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue. | |||||