Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-42193 Plunk: SNS webhook forgery — plunk 9.1 Critical2026-05-08
CVE-2026-44497 ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer — zebra 9.1AICriticalAI2026-05-08
CVE-2026-41669 Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed — admidio 8.2 High2026-05-07
CVE-2026-7689 Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification — ERP CRM 3.7 Low2026-05-03
CVE-2026-33467 Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass — Elastic Package Registry 5.9 Medium2026-04-28
CVE-2026-6986 Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification — Mongoose 3.7 Low2026-04-25
CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles — tough 5.3 Medium2026-04-24
CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel — AWS Ops Wheel 9.8 Critical2026-04-24
CVE-2026-34068 nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge — nimiq-transaction 6.8 Medium2026-04-22
CVE-2026-40372 ASP.NET Core Elevation of Privilege Vulnerability — ASP.NET Core 10.0 9.1 Critical2026-04-21
CVE-2026-41301 OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass — OpenClaw 5.3 Medium2026-04-20
CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation — Payment Gateway for Redsys & WooCommerce Lite 7.5 High2026-04-16
CVE-2026-24032 Siemens SINEC NMS 数据伪造问题漏洞 — SINEC NMS 7.3 High2026-04-14
CVE-2026-0234 Cortex XSOAR: Improper Verification of Cryptographic Signature in Microsoft Teams integration — Cortex XSOAR Microsoft Teams Marketplace 9.1 -2026-04-13
CVE-2026-5466 wc_VerifyEccsiHash missing sanity check — wolfSSL 9.1 -2026-04-10
CVE-2026-40070 bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) — bsv-ruby-sdk 8.1 High2026-04-09
CVE-2026-39413 LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API — LightRAG 4.2 Medium2026-04-08
CVE-2026-2625 Rust-rpm-sequoia: rust-rpm-sequoia: denial of service via crafted rpm file during signature verification — Red Hat Hardened Images 4.0 Medium2026-04-03
CVE-2026-34840 OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification — oneuptime 8.1 High2026-04-02
CVE-2026-34240 jose vulnerable to untrusted JWK header key acceptance during signature verification — jose 7.5 High2026-03-31
CVE-2026-34377 Zebra has a Consensus Failure due to Improper Verification of V5 Transactions — zebra 7.5AIHighAI2026-03-31
CVE-2026-32883 Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass — botan 5.9 Medium2026-03-30
CVE-2026-32974 OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token — OpenClaw 8.6 High2026-03-29
CVE-2026-33895 Forge has signature forgery in Ed25519 due to missing S > L check — forge 7.5 High2026-03-27
CVE-2026-33894 Forge has signature forgery in RSA-PKCS due to ASN.1 extra field — forge 7.5 High2026-03-27
CVE-2026-33487 goxmldsig has validateSignature Loop Variable Capture Signature Bypass — goxmldsig 7.5 High2026-03-26
CVE-2026-4600 jsrsasign 安全漏洞 — jsrsasign 7.4 High2026-03-23
CVE-2026-4115 PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification — PuTTY 3.7 Low2026-03-22
CVE-2026-4541 janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification — tinyssh 2.5 Low2026-03-22
CVE-2026-4478 Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification — YI Home Camera 8.1 High2026-03-20

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.