Common Weakness Enumeration
CWE-323
AllowedReusing a Nonce, Key Pair in Encryption
Abstraction: Base · Status: Incomplete
Nonces should be used for the present occasion and only once.
78 vulnerabilities reference this CWE, most recent first.
CVE-2026-59099 (GCVE-0-2026-59099)
Vulnerability from cvelistv5 – Published: 2026-07-02 19:42 – Updated: 2026-07-14 22:03 X_Open Source
VLAI
EPSS
VEX
Title
Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure
Summary
Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://apereo.github.io/2026/06/18/vuln/ | vendor-advisory |
| https://github.com/apereo/cas/releases/tag/v8.0.0-RC6 | release-notes |
| https://github.com/geo-chen/oss/blob/main/cas.md | technical-descriptionexploit |
| https://github.com/apereo/cas/commit/22c6f4adf738… | patch |
| https://www.vulncheck.com/advisories/apereo-cas-r… | third-party-advisory |
Impacted products
Date Public
2026-06-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59099",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T12:29:20.364889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:30:35.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:github/apereo/cas",
"product": "cas",
"repo": "https://github.com/apereo/cas",
"vendor": "apereo",
"versions": [
{
"lessThan": "8.0.0-RC6",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apereo:central_authentication_service:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.0-RC6",
"versionStartIncluding": "7.3.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Chen"
}
],
"datePublic": "2026-06-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T22:03:25.158Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Maintainer Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://apereo.github.io/2026/06/18/vuln/"
},
{
"name": "Release Notes",
"tags": [
"release-notes"
],
"url": "https://github.com/apereo/cas/releases/tag/v8.0.0-RC6"
},
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://github.com/geo-chen/oss/blob/main/cas.md"
},
{
"name": "Fix Commit",
"tags": [
"patch"
],
"url": "https://github.com/apereo/cas/commit/22c6f4adf738852782309b523b4e80371057f2d0"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/apereo-cas-rc6-aes-gcm-nonce-reuse-information-disclosure"
}
],
"tags": [
"x_open-source"
],
"title": "Apereo CAS 7.3.0 \u003c 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-59099",
"datePublished": "2026-07-02T19:42:51.897Z",
"dateReserved": "2026-07-02T15:38:18.929Z",
"dateUpdated": "2026-07-14T22:03:25.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56369 (GCVE-0-2026-56369)
Vulnerability from cvelistv5 – Published: 2026-06-30 22:08 – Updated: 2026-07-01 15:07
VLAI
EPSS
VEX
Title
ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage
Summary
ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ImageMagick/ImageMagick/securi… | vendor-advisory |
| https://www.vulncheck.com/advisories/imagemagick-… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ImageMagick | ImageMagick |
Affected:
0 , < 7.1.2-22
(semver)
Unaffected: 7.1.2-22 (semver) |
|
| ImageMagick | ImageMagick |
Affected:
0 , < 6.9.13-47
(semver)
Unaffected: 6.9.13-47 (semver) |
Date Public
2026-05-16 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:08.535426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:07:57.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ImageMagick",
"vendor": "ImageMagick",
"versions": [
{
"lessThan": "7.1.2-22",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7.1.2-22",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ImageMagick",
"vendor": "ImageMagick",
"versions": [
{
"lessThan": "6.9.13-47",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "6.9.13-47",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1.2-22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.13-47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "007bsd"
},
{
"lang": "en",
"type": "reporter",
"value": "LuiginoC"
}
],
"datePublic": "2026-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T22:08:38.920Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-qv2q-c278-pch5)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qv2q-c278-pch5"
},
{
"name": "VulnCheck Advisory: ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/imagemagick-information-disclosure-via-aes-ctr-nonce-reuse-in-passkeyencipherimage"
}
],
"title": "ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56369",
"datePublished": "2026-06-30T22:08:38.920Z",
"dateReserved": "2026-06-21T02:05:21.920Z",
"dateUpdated": "2026-07-01T15:07:57.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55967 (GCVE-0-2026-55967)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:53 – Updated: 2026-06-25 17:57
VLAI
EPSS
VEX
Title
AES-GCM streaming APIs do not reject >64 GiB cumulative single messages, enabling counter wrap and keystream reuse
Summary
AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T17:57:03.803039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T17:57:09.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/wolfSSL/wolfssl",
"defaultStatus": "unaffected",
"product": "wolfSSL",
"vendor": "wolfSSL",
"versions": [
{
"lessThanOrEqual": "5.9.1",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NVIDIA Project Vanessa"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAES-GCM encryption/decryption with extremely large cumulative single message sizes (\u0026gt;64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.\u003c/p\u003e"
}
],
"value": "AES-GCM encryption/decryption with extremely large cumulative single message sizes (\u003e64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:53:14.695Z",
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"shortName": "wolfSSL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/wolfSSL/wolfssl/pull/10709"
},
{
"url": "https://www.wolfssl.com/docs/security-vulnerabilities/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AES-GCM streaming APIs do not reject \u003e64 GiB cumulative single messages, enabling counter wrap and keystream reuse",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"assignerShortName": "wolfSSL",
"cveId": "CVE-2026-55967",
"datePublished": "2026-06-25T16:53:14.695Z",
"dateReserved": "2026-06-17T22:11:03.531Z",
"dateUpdated": "2026-06-25T17:57:09.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49952 (GCVE-0-2026-49952)
Vulnerability from cvelistv5 – Published: 2026-06-15 18:43 – Updated: 2026-06-16 09:48 X_Open Source
VLAI
EPSS
VEX
Title
Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle
Summary
Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://karmainsecurity.com/KIS-2026-09 | technical-description |
| https://karmainsecurity.com/chaining-bugs-in-disc… | exploit |
| https://gitee.com/Discuz/DiscuzX/commit/9962dad52… | patch |
| https://www.vulncheck.com/advisories/discuz-x5-0-… | third-party-advisory |
| http://seclists.org/fulldisclosure/2026/Jun/3 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Discuz! | Discuz! X5.0 |
Affected:
20260320 , ≤ 20260501
(date)
|
Date Public
2026-05-09 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49952",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T19:58:52.987295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:59:18.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-16T09:48:23.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2026/Jun/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Discuz! X5.0",
"repo": "https://gitee.com/Discuz/DiscuzX",
"vendor": "Discuz!",
"versions": [
{
"lessThanOrEqual": "20260501",
"status": "affected",
"version": "20260320",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Egidio Romano"
}
],
"datePublic": "2026-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Discuz! X5.0 releases 20260320 through 20260501 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality by exploiting a shared cryptographic key between UCenter integration and the database backup API exposed by dbbak.php. Attackers can inject a crafted payload through the username parameter during login to abuse the encryption oracle in logging_ctl::logging_more(), obtain a legitimately signed token, and use it to bypass authorization for database export and import operations, with the additional ability to trigger a race condition to impersonate arbitrary users."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T18:52:07.338Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://karmainsecurity.com/KIS-2026-09"
},
{
"tags": [
"exploit"
],
"url": "https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce"
},
{
"tags": [
"patch"
],
"url": "https://gitee.com/Discuz/DiscuzX/commit/9962dad52c4c6999dabaf91ecd70377c680ff3c6"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/discuz-x5-0-authentication-bypass-via-dbbak-php-encryption-oracle"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Discuz! X5.0 Authentication Bypass via dbbak.php Encryption Oracle",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-49952",
"datePublished": "2026-06-15T18:43:21.990Z",
"dateReserved": "2026-06-02T16:30:15.232Z",
"dateUpdated": "2026-06-16T09:48:23.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45028 (GCVE-0-2026-45028)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:50 – Updated: 2026-05-14 18:33
VLAI
EPSS
VEX
Title
Astro: Server island encrypted parameters vulnerable to cross-component replay
Summary
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/withastro/astro/security/advis… | x_refsource_CONFIRM |
| https://github.com/withastro/astro/pull/16457 | x_refsource_MISC |
| https://github.com/withastro/astro/commit/3d82220… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:29:40.855839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:33:24.630Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 6.1.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component\u0027s encrypted props (p) value as another component\u0027s slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.9,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323: Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:50:49.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-xr5h-phrj-8vxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xr5h-phrj-8vxv"
},
{
"name": "https://github.com/withastro/astro/pull/16457",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/pull/16457"
},
{
"name": "https://github.com/withastro/astro/commit/3d82220a1549e699e34ed433f3846a919f4c02bd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/3d82220a1549e699e34ed433f3846a919f4c02bd"
}
],
"source": {
"advisory": "GHSA-xr5h-phrj-8vxv",
"discovery": "UNKNOWN"
},
"title": "Astro: Server island encrypted parameters vulnerable to cross-component replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45028",
"datePublished": "2026-05-13T15:50:49.869Z",
"dateReserved": "2026-05-08T16:58:28.897Z",
"dateUpdated": "2026-05-14T18:33:24.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30785 (GCVE-0-2026-30785)
Vulnerability from cvelistv5 – Published: 2026-03-05 16:04 – Updated: 2026-03-06 10:32
VLAI
EPSS
VEX
Title
RustDesk Encrypts Local Passwords with World-Readable Machine ID and Fixed Zero Nonce (XSalsa20-Poly1305)
Summary
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id().
This issue affects RustDesk Client: through 1.4.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/rustdesk/rustdesk/discussions/9229 | technical-descriptionx_--config documentation |
| https://github.com/rustdesk/rustdesk/discussions/4979 | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-client | RustDesk Client |
Affected:
0 , ≤ 1.4.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30785",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T10:32:18.593322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T10:32:38.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk/releases",
"defaultStatus": "affected",
"modules": [
"Password security module",
"config encryption",
"machine UID"
],
"packageName": "rustdesk, hbb_common",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Client",
"programFiles": [
"hbb_common/src/password_security.rs",
"hbb_common/src/config.rs",
"hbb_common/src/lib.rs (get_uuid)",
"machine-uid/src/lib.rs"
],
"programRoutines": [
{
"name": "symmetric_crypt()"
},
{
"name": "encrypt_str_or_original()"
},
{
"name": "decrypt_str_or_original()"
},
{
"name": "get_uuid()"
},
{
"name": "get_machine_id()"
}
],
"repo": "https://github.com/rustdesk/hbb_common,https://github.com/rustdesk-org/machine-uid",
"vendor": "rustdesk-client",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any desktop installation with permanent password or saved peers"
}
],
"value": "Default \u2014 any desktop installation with permanent password or saved peers"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ehbb_common/src/password_security.Rs\u003c/tt\u003e, \u003ctt\u003ehbb_common/src/config.Rs\u003c/tt\u003e, \u003ctt\u003ehbb_common/src/lib.Rs (get_uuid)\u003c/tt\u003e, \u003ctt\u003emachine-uid/src/lib.Rs\u003c/tt\u003e and program routines \u003ctt\u003esymmetric_crypt()\u003c/tt\u003e, \u003ctt\u003eencrypt_str_or_original()\u003c/tt\u003e, \u003ctt\u003edecrypt_str_or_original()\u003c/tt\u003e, \u003ctt\u003eget_uuid()\u003c/tt\u003e, \u003ctt\u003eget_machine_id()\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Client: through 1.4.5.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027), Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbb_common on Windows, MacOS, Linux (Password security module, config encryption, machine UID modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program files hbb_common/src/password_security.Rs, hbb_common/src/config.Rs, hbb_common/src/lib.Rs (get_uuid), machine-uid/src/lib.Rs and program routines symmetric_crypt(), encrypt_str_or_original(), decrypt_str_or_original(), get_uuid(), get_machine_id().\n\nThis issue affects RustDesk Client: through 1.4.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available. Trivially exploitable.\u003cbr\u003e"
}
],
"value": "PoC available. Trivially exploitable."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T17:05:28.602Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://github.com/rustdesk/rustdesk/discussions/9229"
},
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://github.com/rustdesk/rustdesk/discussions/4979"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use one-way hashing (Argon2id) for passwords. Use OS-native credential stores (DPAPI, Keychain, libsecret) for recoverable secrets. Apply proper KDF. Use random nonces."
}
],
"value": "Use one-way hashing (Argon2id) for passwords. Use OS-native credential stores (DPAPI, Keychain, libsecret) for recoverable secrets. Apply proper KDF. Use random nonces."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Encrypts Local Passwords with World-Readable Machine ID and Fixed Zero Nonce (XSalsa20-Poly1305)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Set restrictive file permissions on TOML config files. Avoid saving peer passwords."
}
],
"value": "Set restrictive file permissions on TOML config files. Avoid saving peer passwords."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30785",
"datePublished": "2026-03-05T16:04:36.443Z",
"dateReserved": "2026-03-05T14:13:35.407Z",
"dateUpdated": "2026-03-06T10:32:38.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25998 (GCVE-0-2026-25998)
Vulnerability from cvelistv5 – Published: 2026-02-19 15:51 – Updated: 2026-02-20 15:42
VLAI
EPSS
VEX
Title
strongMan vulnerable to private credential recovery due to key and counter reuse
Summary
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/strongswan/strongMan/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| strongswan | strongMan |
Affected:
< 0.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:32:21.931190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:42:52.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "strongMan",
"vendor": "strongswan",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323: Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1204",
"description": "CWE-1204: Generation of Weak Initialization Vector (IV)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T15:53:30.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/strongswan/strongMan/security/advisories/GHSA-88w4-jv97-c8xr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/strongswan/strongMan/security/advisories/GHSA-88w4-jv97-c8xr"
}
],
"source": {
"advisory": "GHSA-88w4-jv97-c8xr",
"discovery": "UNKNOWN"
},
"title": "strongMan vulnerable to private credential recovery due to key and counter reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25998",
"datePublished": "2026-02-19T15:51:35.349Z",
"dateReserved": "2026-02-09T17:41:55.859Z",
"dateUpdated": "2026-02-20T15:42:52.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21383 (GCVE-0-2026-21383)
Vulnerability from cvelistv5 – Published: 2026-07-06 20:09 – Updated: 2026-07-08 03:56
VLAI
EPSS
VEX
Title
Reusing a Nonce, Key Pair in Encryption in HLOS
Summary
Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Qualcomm, Inc. | Snapdragon |
Affected:
FastConnect 6900
Affected: FastConnect 7800 Affected: LeMans_AU_LGIT Affected: LeMansAU Affected: Pandeiro Affected: QAM8255P Affected: QAM8397P Affected: QAM8797P Affected: QAMSRV1H Affected: QAMSRV1M Affected: QCA6595AU Affected: QCA6696 Affected: QCA6698AQ Affected: QCA6797AQ Affected: QCA8695AU Affected: QDU1000 Affected: QDU1110 Affected: QDU1210 Affected: QDX1010 Affected: QDX1011 Affected: QLN1083BD Affected: QLN1086BD Affected: QPA1083BD Affected: QPA1086BD Affected: Qualcomm Dragonwing X100 Accelerator Card Affected: QXM1093 Affected: QXM1094 Affected: QXM1095 Affected: QXM1096 Affected: SA7255P Affected: SA7775P Affected: SA8255P Affected: SA8620P Affected: SA8770P Affected: SA9000P Affected: SAR1165P Affected: SAR2130P Affected: Snapdragon AR1 Gen 1 Platform Affected: Snapdragon AR1+ Gen 1 Platform Affected: SRV1H Affected: SRV1M Affected: SXR2230P Affected: SXR2250P Affected: WCD9380 Affected: WCD9385 Affected: WCN3950 Affected: WCN7860 Affected: WCN7861 Affected: WSA8830 Affected: WSA8832 Affected: WSA8835 Affected: XRV7209 Affected: XRV9209 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T03:56:37.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Snapdragon Auto",
"Snapdragon CCW",
"Snapdragon Compute",
"Snapdragon Industrial IOT",
"Snapdragon Mobile"
],
"product": "Snapdragon",
"vendor": "Qualcomm, Inc.",
"versions": [
{
"status": "affected",
"version": "FastConnect 6900"
},
{
"status": "affected",
"version": "FastConnect 7800"
},
{
"status": "affected",
"version": "LeMans_AU_LGIT"
},
{
"status": "affected",
"version": "LeMansAU"
},
{
"status": "affected",
"version": "Pandeiro"
},
{
"status": "affected",
"version": "QAM8255P"
},
{
"status": "affected",
"version": "QAM8397P"
},
{
"status": "affected",
"version": "QAM8797P"
},
{
"status": "affected",
"version": "QAMSRV1H"
},
{
"status": "affected",
"version": "QAMSRV1M"
},
{
"status": "affected",
"version": "QCA6595AU"
},
{
"status": "affected",
"version": "QCA6696"
},
{
"status": "affected",
"version": "QCA6698AQ"
},
{
"status": "affected",
"version": "QCA6797AQ"
},
{
"status": "affected",
"version": "QCA8695AU"
},
{
"status": "affected",
"version": "QDU1000"
},
{
"status": "affected",
"version": "QDU1110"
},
{
"status": "affected",
"version": "QDU1210"
},
{
"status": "affected",
"version": "QDX1010"
},
{
"status": "affected",
"version": "QDX1011"
},
{
"status": "affected",
"version": "QLN1083BD"
},
{
"status": "affected",
"version": "QLN1086BD"
},
{
"status": "affected",
"version": "QPA1083BD"
},
{
"status": "affected",
"version": "QPA1086BD"
},
{
"status": "affected",
"version": "Qualcomm Dragonwing X100 Accelerator Card"
},
{
"status": "affected",
"version": "QXM1093"
},
{
"status": "affected",
"version": "QXM1094"
},
{
"status": "affected",
"version": "QXM1095"
},
{
"status": "affected",
"version": "QXM1096"
},
{
"status": "affected",
"version": "SA7255P"
},
{
"status": "affected",
"version": "SA7775P"
},
{
"status": "affected",
"version": "SA8255P"
},
{
"status": "affected",
"version": "SA8620P"
},
{
"status": "affected",
"version": "SA8770P"
},
{
"status": "affected",
"version": "SA9000P"
},
{
"status": "affected",
"version": "SAR1165P"
},
{
"status": "affected",
"version": "SAR2130P"
},
{
"status": "affected",
"version": "Snapdragon AR1 Gen 1 Platform"
},
{
"status": "affected",
"version": "Snapdragon AR1+ Gen 1 Platform"
},
{
"status": "affected",
"version": "SRV1H"
},
{
"status": "affected",
"version": "SRV1M"
},
{
"status": "affected",
"version": "SXR2230P"
},
{
"status": "affected",
"version": "SXR2250P"
},
{
"status": "affected",
"version": "WCD9380"
},
{
"status": "affected",
"version": "WCD9385"
},
{
"status": "affected",
"version": "WCN3950"
},
{
"status": "affected",
"version": "WCN7860"
},
{
"status": "affected",
"version": "WCN7861"
},
{
"status": "affected",
"version": "WSA8830"
},
{
"status": "affected",
"version": "WSA8832"
},
{
"status": "affected",
"version": "WSA8835"
},
{
"status": "affected",
"version": "XRV7209"
},
{
"status": "affected",
"version": "XRV9209"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323: Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:09:39.251Z",
"orgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
"shortName": "qualcomm"
},
"references": [
{
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html"
}
],
"title": "Reusing a Nonce, Key Pair in Encryption in HLOS"
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
"assignerShortName": "qualcomm",
"cveId": "CVE-2026-21383",
"datePublished": "2026-07-06T20:09:39.251Z",
"dateReserved": "2025-12-17T04:35:45.743Z",
"dateUpdated": "2026-07-08T03:56:37.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13602 (GCVE-0-2026-13602)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:27
VLAI
EPSS
VEX
Title
Session takeover vulnerability
Summary
We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:
*
The payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay
contain a code path that is intended for the transport of session
parameters from a tab with isolated cookies (e.g. in the pretix widget)
to a new tab. For this purpose, a set of session parameters is
cryptographically signed and then passed to the new tab as a URL
parameter. The plugins perform no further validation of the session
parameters, other than the cryptographic signature being valid. This is
fixed with the releases issued today by strictly validating that no
session parameters outside of the scope of the respective plugin may be
set.
*
An unrelated feature in the core system is used to generate redirect links that obfuscate any Referer
headers for outgoing links to prevent leakage of secrets in URLs. This
redirect page also requires cryptographically signed parameters.
Unfortunately, it uses the same key and salt for the signature as the
previously mentioned feature in the payment integration plugins. A
motivated attacker with access to at least one event in the backend can
trick the system into cryptographically signing arbitrary content using
specially crafted links. In combination with the previous issue, the
attacker could use this to set and modify arbitrary parameters on their
user session by injecting the signed parameters into the feature of the
payment providers. This is fixed with the releases issued today by using
different salts for the signature for each plugin and feature.
*
A third, unrelated feature in the core system is used for admin users
to act on behalf of another user, mostly for debugging purposes. With
being able to insert arbitrary parameters into a session, an attacker
can abuse this feature to change their session from their actual user to
any user in the system by guessing a valid user ID. This is fixed with
the release today by requiring unguessable information to be contained
in the session of the user to switch to.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://pretix.eu/about/en/blog/20260701-release-… | vendor-advisory |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| pretix | pretix |
Affected:
4.14.0 , < 2026.3.5
(python)
Affected: 2026.4.0 , < 2026.4.5 (python) Affected: 2026.5.0 , < 2026.5.3 (python) |
|
| pretix | pretix-mollie |
Affected:
0 , < 2.5.7
(python)
|
|
| pretix | pretix-oppwa |
Affected:
0 , < 1.4.4
(python)
|
|
| pretix | pretix-bitpay |
Affected:
0 , < 1.5.3
(python)
|
|
| pretix | pretix-payone |
Affected:
0 , < 1.4.3
(python)
|
|
| pretix | pretix-secuconnect |
Affected:
0 , < 1.0.4
(python)
|
|
| pretix | pretix-sofort |
Affected:
0 , < 1.4.2
(python)
|
|
| pretix | pretix-saferpay |
Affected:
0 , < 1.6.3
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:54.400278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:27:00.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix",
"product": "pretix",
"repo": "https://github.com/pretix/pretix",
"vendor": "pretix",
"versions": [
{
"lessThan": "2026.3.5",
"status": "affected",
"version": "4.14.0",
"versionType": "python"
},
{
"lessThan": "2026.4.5",
"status": "affected",
"version": "2026.4.0",
"versionType": "python"
},
{
"lessThan": "2026.5.3",
"status": "affected",
"version": "2026.5.0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-mollie",
"product": "pretix-mollie",
"repo": "https://github.com/pretix/pretix-mollie",
"vendor": "pretix",
"versions": [
{
"lessThan": "2.5.7",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-oppwa",
"product": "pretix-oppwa",
"repo": "https://github.com/pretix/pretix-oppwa",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-bitpay",
"product": "pretix-bitpay",
"repo": "https://github.com/pretix/pretix-bitpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-payone",
"product": "pretix-payone",
"repo": "https://github.com/pretix/pretix-payone",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-secuconnect",
"product": "pretix-secuconnect",
"repo": "https://github.com/pretix/pretix-secuconnect",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-sofort",
"product": "pretix-sofort",
"repo": "https://github.com/pretix/pretix-sofort",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
},
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pretix-saferpay",
"product": "pretix-saferpay",
"repo": "https://github.com/pretix/pretix-saferpay",
"vendor": "pretix",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWe found a chain of combining multiple weaknesses in the product that could allow an attacker to become \u003cstrong\u003eany\u003c/strong\u003e user in the backend and access \u003cstrong\u003eany\u003c/strong\u003e data:\u003c/p\u003e\u003cp\u003e\n\u003c/p\u003e\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe payment integration plugins Stripe (included in the core system), \u003ccode\u003epretix-mollie\u003c/code\u003e, \u003ccode\u003epretix-oppwa\u003c/code\u003e, \u003ccode\u003epretix-bitpay\u003c/code\u003e, \u003ccode\u003epretix-payone\u003c/code\u003e, \u003ccode\u003epretix-secuconnect\u003c/code\u003e, \u003ccode\u003epretix-sofort\u003c/code\u003e, and \u003ccode\u003epretix-saferpay\u003c/code\u003e\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAn unrelated feature in the core system is used to generate redirect links that obfuscate any \u003ccode\u003eReferer\u003c/code\u003e\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.\u003c/p\u003e\n\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n * \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n * \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n * \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a nonce, key pair in encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:45:30.615Z",
"orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"shortName": "rami.io"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"
}
],
"title": "Session takeover vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If you are unable to update quickly, we recommend to block the URL \u003ccode\u003e/control/users/impersonate/stop\u003c/code\u003e in your webserver configuration. In nginx, you can do this by inserting \u003ccode\u003elocation /control/users/impersonate/stop { deny all; }\u003c/code\u003e\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"value": "If you are unable to update quickly, we recommend to block the URL /control/users/impersonate/stop in your webserver configuration. In nginx, you can do this by inserting location /control/users/impersonate/stop { deny all; }\n into the correct block. However, this only remedies the most critical \nimpact the other vulnerabilities have, and we still recommend you plan \nan update as soon as possible."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
"assignerShortName": "rami.io",
"cveId": "CVE-2026-13602",
"datePublished": "2026-07-01T13:45:30.615Z",
"dateReserved": "2026-06-29T08:26:50.725Z",
"dateUpdated": "2026-07-01T15:27:00.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12205 (GCVE-0-2026-12205)
Vulnerability from cvelistv5 – Published: 2026-06-15 21:57 – Updated: 2026-06-16 16:13
VLAI
EPSS
VEX
Title
Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery
Summary
Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.
Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.
The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical "r".
Keys used to sign more than once with an affected version should be considered compromised.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-323 - Reusing a Nonce, Key Pair in Encryption
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TIMLEGGE | Crypt::DSA |
Affected:
0 , < 1.21
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-15T22:44:28.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/15/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-12205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:13:28.769417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:13:32.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-DSA",
"product": "Crypt::DSA",
"programFiles": [
"lib/Crypt/DSA.pm"
],
"programRoutines": [
{
"name": "Crypt::DSA::sign"
}
],
"repo": "https://github.com/perl-Crypt-OpenPGP/Crypt-DSA",
"vendor": "TIMLEGGE",
"versions": [
{
"lessThan": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Richard Kettlewell"
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.\n\nCrypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.\n\nThe first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical \"r\".\n\nKeys used to sign more than once with an affected version should be considered compromised."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-323",
"description": "CWE-323 Reusing a Nonce, Key Pair in Encryption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T21:57:18.317Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/source/lib/Crypt/DSA.pm#L47"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 1.21\n\nRevoke any keys that may have been compromised.\n\nCrypt::DSA was deprecated in version 1.20. You should migrate to another solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-16T00:00:00.000Z",
"value": "Maintainer contacted"
},
{
"lang": "en",
"time": "2026-06-13T00:00:00.000Z",
"value": "Maintainer and CPANSec contacted"
},
{
"lang": "en",
"time": "2026-06-14T00:00:00.000Z",
"value": "Fixed version released"
}
],
"title": "Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-12205",
"datePublished": "2026-06-15T21:57:18.317Z",
"dateReserved": "2026-06-14T12:07:30.610Z",
"dateUpdated": "2026-06-16T16:13:32.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Implementation
Refuse to reuse nonce values.
Mitigation
Implementation
Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.
No CAPEC attack patterns related to this CWE.