What is the CVSS score of CVE-2026-33487?

CVE-2026-33487 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Jwt Attack are affected by CVE-2026-33487?

The goxmldsig library versions prior to 1.6.0 contain a critical XML Digital Signature validation bypass that allows unauthenticated attackers to forge or manipulate XML signatures, directly…. A patch is available.

Jwt Attack CVE-2026-33487

HIGH

Improper Verification of Cryptographic Signature (CWE-347)

2026-03-26 GitHub_M

Information Disclosure Jwt Attack

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 20, 2026 - 14:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 14:22 vuln.today

cvss_changed

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 26, 2026 - 17:45 vuln.today

CVE Published

Mar 26, 2026 - 17:17 nvd

HIGH 7.5

DescriptionNVD

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable _ref instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the ref pointer will always end up pointing to the last element in the SignedInfo.References slice after the loop. goxmlsig version 1.6.0 contains a patch.

AnalysisAI

XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. …

RemediationAI

Within 24 hours: Identify all applications and dependencies using russellhaering/goxmldsig library versions prior to 1.6.0 via software bill of materials (SBOM) review and dependency scanning. Within 7 days: Upgrade goxmldsig to version 1.6.0 or later and rebuild/redeploy affected applications; verify Go runtime is version 1.22 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-33487 vulnerability details – vuln.today

Back

Jwt Attack CVE-2026-33487

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code