Skip to main content

Signinghub

6 CVEs product

Monthly

CVE-2025-54321 CRITICAL This Week

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Signinghub
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-54320 MEDIUM Monitor

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Signinghub
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-56224 HIGH This Week

Authentication bypass in Ascertia SigningHub v8.6.8 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) verification endpoint because it enforces no rate limiting, allowing them to defeat the second verification factor and gain access to signing accounts. The flaw is tagged as an Authentication Bypass and carries a high CVSS of 8.1, though the AC:H metric reflects that success depends on iterating through the OTP keyspace. No CISA KEV listing exists and EPSS is modest (0.46%, 37th percentile), indicating no confirmed active exploitation, but a CVE-named public GitHub repository referenced by NVD suggests exploit details may be circulating.

Authentication Bypass Signinghub
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-56223 HIGH This Week

Denial of service in Ascertia SigningHub v8.6.8 stems from a missing rate limit on the /Home/UploadStreamDocument endpoint, letting attackers flood the server with an excessive number of file uploads until resources are exhausted and the e-signature service becomes unavailable. The CVSS vector marks it network-reachable and unauthenticated (PR:N) with high availability impact but no confidentiality or integrity effect. A GitHub repository (saykino/CVE-2025-56223) associated with the CVE indicates publicly available exploit code exists; the flaw is not in CISA KEV and EPSS exploitation probability is modest at 0.54%.

Denial Of Service Signinghub
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-56219 HIGH This Week

Uncontrolled account creation in Ascertia SigningHub v8.6.8 allows an attacker to repeatedly add user accounts with no rate limiting, driving resource exhaustion and a denial-of-service condition on the e-signature platform. The flaw stems from improper access control (CWE-284) around the account-provisioning function and is exploitable over the network by a low-privileged actor per the CVSS vector (PR:L). Publicly available exploit code exists (GitHub saykino/CVE-2025-56219), but there is no confirmed active exploitation and EPSS remains low at 0.37% (29th percentile).

Authentication Bypass Denial Of Service Signinghub
NVD GitHub
CVSS 3.1
7.1
EPSS
0.4%
CVE-2025-56218 CRITICAL Act Now

Arbitrary code execution in Ascertia SigningHub v8.6.8 stems from an unrestricted file upload weakness that lets an attacker upload a crafted PDF which is processed or stored in a way that yields server-side code execution. SigningHub is an enterprise/e-government digital signature and document workflow platform, so a compromise exposes signing keys, signed documents, and the workflow backend. Publicly available exploit code exists (GitHub PoC referenced), but there is no public exploit identified as actively used; EPSS is modest at 0.67% (47th percentile) and it is not in CISA KEV.

RCE File Upload Signinghub
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
EPSS 0% CVSS 9.8
CRITICAL This Week

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Signinghub
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM Monitor

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Signinghub
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in Ascertia SigningHub v8.6.8 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) verification endpoint because it enforces no rate limiting, allowing them to defeat the second verification factor and gain access to signing accounts. The flaw is tagged as an Authentication Bypass and carries a high CVSS of 8.1, though the AC:H metric reflects that success depends on iterating through the OTP keyspace. No CISA KEV listing exists and EPSS is modest (0.46%, 37th percentile), indicating no confirmed active exploitation, but a CVE-named public GitHub repository referenced by NVD suggests exploit details may be circulating.

Authentication Bypass Signinghub
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in Ascertia SigningHub v8.6.8 stems from a missing rate limit on the /Home/UploadStreamDocument endpoint, letting attackers flood the server with an excessive number of file uploads until resources are exhausted and the e-signature service becomes unavailable. The CVSS vector marks it network-reachable and unauthenticated (PR:N) with high availability impact but no confidentiality or integrity effect. A GitHub repository (saykino/CVE-2025-56223) associated with the CVE indicates publicly available exploit code exists; the flaw is not in CISA KEV and EPSS exploitation probability is modest at 0.54%.

Denial Of Service Signinghub
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Uncontrolled account creation in Ascertia SigningHub v8.6.8 allows an attacker to repeatedly add user accounts with no rate limiting, driving resource exhaustion and a denial-of-service condition on the e-signature platform. The flaw stems from improper access control (CWE-284) around the account-provisioning function and is exploitable over the network by a low-privileged actor per the CVSS vector (PR:L). Publicly available exploit code exists (GitHub saykino/CVE-2025-56219), but there is no confirmed active exploitation and EPSS remains low at 0.37% (29th percentile).

Authentication Bypass Denial Of Service Signinghub
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution in Ascertia SigningHub v8.6.8 stems from an unrestricted file upload weakness that lets an attacker upload a crafted PDF which is processed or stored in a way that yields server-side code execution. SigningHub is an enterprise/e-government digital signature and document workflow platform, so a compromise exposes signing keys, signed documents, and the workflow backend. Publicly available exploit code exists (GitHub PoC referenced), but there is no public exploit identified as actively used; EPSS is modest at 0.67% (47th percentile) and it is not in CISA KEV.

RCE File Upload Signinghub
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy