Skip to main content

Goxmldsig

3 CVEs product

Monthly

CVE-2026-33487 Go HIGH PATCH This Week

XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.

Jwt Attack Information Disclosure Goxmldsig
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2020-15216 Go MEDIUM PATCH This Month

In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Authentication Bypass Goxmldsig Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-7711 Go HIGH POC PATCH This Week

This affects all versions of package github.com/russellhaering/goxmldsig. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Goxmldsig
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.

Jwt Attack Information Disclosure Goxmldsig
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Authentication Bypass Goxmldsig +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

This affects all versions of package github.com/russellhaering/goxmldsig. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Goxmldsig
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy