Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 371

371 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-48523 PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys — pyjwt 5.4 Medium2026-05-28
CVE-2026-9793 Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing — Red Hat Build of Keycloak 5.9 Medium2026-05-28
CVE-2025-41669 Insufficient Verification of Data Authenticity — AXC F 1152 8.8 High2026-05-27
CVE-2026-45575 epa4all-client: Improper Verification of Cryptographic Signature — epa4all-client 7.4 High2026-05-26
CVE-2026-44714 bitcoinj: ScriptExecution P2PKH/P2WPKH Verification Bypass — bitcoinj 7.5 High2026-05-15
CVE-2026-44309 gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits — gitsign 5.3 Medium2026-05-15
CVE-2024-36334 AMD Graphics Driver 数据伪造问题漏洞 — AMD Radeon™ RX 7000 Series Graphics Products--2026-05-15
CVE-2026-0265 PAN-OS: Authentication Bypass with Cloud Authentication Service (CAS) enabled — Cloud NGFW--2026-05-13
CVE-2026-41431 Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted — desktop 8.0 High2026-05-11
CVE-2026-42193 Plunk: SNS webhook forgery — plunk 9.1 Critical2026-05-08
CVE-2026-44497 ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer — zebra 9.1AICriticalAI2026-05-08
CVE-2026-41669 Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed — admidio 8.2 High2026-05-07
CVE-2026-7689 Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification — ERP CRM 3.7 Low2026-05-03
CVE-2026-33467 Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass — Elastic Package Registry 5.9 Medium2026-04-28
CVE-2026-6986 Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification — Mongoose 3.7 Low2026-04-25
CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles — tough 5.3 Medium2026-04-24
CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel — AWS Ops Wheel 9.8 Critical2026-04-24
CVE-2026-34068 nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge — nimiq-transaction 6.8 Medium2026-04-22
CVE-2026-40372 ASP.NET Core Elevation of Privilege Vulnerability — ASP.NET Core 10.0 9.1 Critical2026-04-21
CVE-2026-41301 OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass — OpenClaw 5.3 Medium2026-04-20
CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation — Payment Gateway for Redsys & WooCommerce Lite 7.5 High2026-04-16
CVE-2026-24032 Siemens SINEC NMS 数据伪造问题漏洞 — SINEC NMS 7.3 High2026-04-14
CVE-2026-0234 Cortex XSOAR: Improper Verification of Cryptographic Signature in Microsoft Teams integration — Cortex XSOAR Microsoft Teams Marketplace 9.1 -2026-04-13
CVE-2026-5466 wc_VerifyEccsiHash missing sanity check — wolfSSL 9.1 -2026-04-10
CVE-2026-40070 bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) — bsv-ruby-sdk 8.1 High2026-04-09
CVE-2026-39413 LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API — LightRAG 4.2 Medium2026-04-08
CVE-2026-2625 Rust-rpm-sequoia: rust-rpm-sequoia: denial of service via crafted rpm file during signature verification — Red Hat Hardened Images 4.0 Medium2026-04-03
CVE-2026-34840 OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification — oneuptime 8.1 High2026-04-02
CVE-2026-34240 jose vulnerable to untrusted JWK header key acceptance during signature verification — jose 7.5 High2026-03-31
CVE-2026-34377 Zebra has a Consensus Failure due to Improper Verification of V5 Transactions — zebra 7.5AIHighAI2026-03-31

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 371 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.