CVE-2026-33487
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Description
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.
Analysis
XML Digital Signature validation in the russellhaering/goxmldsig Go library can be bypassed due to a loop variable capture bug affecting versions prior to 1.6.0. Unauthenticated remote attackers can exploit this flaw to manipulate signature validation by crafting XML documents with multiple references in the SignedInfo block, causing the validator to use the wrong reference and accept invalid signatures. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all internal and third-party applications using russellhaering/goxmldsig and identify those in production handling XML signatures. Within 7 days: Contact affected library maintainers and application vendors to confirm remediation roadmap; prepare isolated test environment to validate upgrade to goxmldsig 1.6.0 or later once released. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today