🚨 CVE-2026-6678
Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.
🎖@cveNotify
Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.
🎖@cveNotify
GitHub
PKCS#7 fixes by Frauschi · Pull Request #10203 · wolfSSL/wolfssl
Fixes for various issues found in PKCS#7 code.
Fixes zd21593, F-2683, F-2684, F-2686, F-1552, F-1990, F-2681, F-2685, F-1991, F-1992, F-2679, F-2680. Also fixes a regression when building with --en...
Fixes zd21593, F-2683, F-2684, F-2686, F-1552, F-1990, F-2681, F-2685, F-1991, F-1992, F-2679, F-2680. Also fixes a regression when building with --en...
🚨 CVE-2026-6679
A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun. This affects builds using DTLS 1.3 and wolfSSL version 5.9.0 and earlier. A fix was added to the 5.9.1 release.
🎖@cveNotify
A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun. This affects builds using DTLS 1.3 and wolfSSL version 5.9.0 and earlier. A fix was added to the 5.9.1 release.
🎖@cveNotify
GitHub
Additional fixes by Frauschi · Pull Request #10116 · wolfSSL/wolfssl
zd21457
🚨 CVE-2026-6731
X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.
🎖@cveNotify
X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.
🎖@cveNotify
GitHub
CN constraints fix by rlm2002 · Pull Request #10223 · wolfSSL/wolfssl
Description
Applies DNS name constraints to Subject CN when SAN is unavailable.
Fixes zd#21611
Checklist
added tests
updated/added doxygen
updated appropriate READMEs
Updated manual and docume...
Applies DNS name constraints to Subject CN when SAN is unavailable.
Fixes zd#21611
Checklist
added tests
updated/added doxygen
updated appropriate READMEs
Updated manual and docume...
🚨 CVE-2021-47987
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
🎖@cveNotify
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected tags (for example, parse-server#4.9.3). The code behind the tags was not reviewed or approved, and although no malicious code was identified, the introduction of security vulnerabilities could not be ruled out.
🎖@cveNotify
GitHub
Incorrect version tags linked to external repository
### Impact
A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write ac...
A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write ac...
🚨 CVE-2026-10098
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target's serial would match, returning the wrong certificate's status. The fix requires the serial lengths to be equal before comparing the serial bytes.
🎖@cveNotify
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target's serial would match, returning the wrong certificate's status. The fix requires the serial lengths to be equal before comparing the serial bytes.
🎖@cveNotify
GitHub
OCSP_resp_find_status to require exact serial-length match by gasbytes · Pull Request #10554 · wolfSSL/wolfssl
Description
Require equal serial lengths before comparing serial bytes so a response serial that is only a prefix of the requested serial is not treated as a match.
Fixes zd#21903
Testing
Added ass...
Require equal serial lengths before comparing serial bytes so a response serial that is only a prefix of the requested serial is not treated as a match.
Fixes zd#21903
Testing
Added ass...
🚨 CVE-2026-11703
Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual hosts, carry the cached peer-authentication state into a context it was not established for. Resumption now verifies the SNI/ALPN binding for all paths and declines (falling back to a full handshake) on mismatch.
🎖@cveNotify
Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual hosts, carry the cached peer-authentication state into a context it was not established for. Resumption now verifies the SNI/ALPN binding for all paths and declines (falling back to a full handshake) on mismatch.
🎖@cveNotify
GitHub
Check SNI/ALPN in TLS 1.2/1.3 session resumptions by holtrop-wolfssl · Pull Request #10489 · wolfSSL/wolfssl
Description
Fixes zd#21798
Testing
How did you test?
Checklist
added tests
updated/added doxygen
updated appropriate READMEs
Updated manual and documentation
Fixes zd#21798
Testing
How did you test?
Checklist
added tests
updated/added doxygen
updated appropriate READMEs
Updated manual and documentation
🚨 CVE-2026-22879
vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability
🎖@cveNotify
vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability
🎖@cveNotify
🚨 CVE-2026-40702
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
🎖@cveNotify
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system.
🎖@cveNotify
evokesystems
Smart EV Charging Solutions | Contact Evoke Systems for Expert Assistance
Ready to unlock the power of smart EV charging solutions? Contact Evoke Systems and discover how our cloud-based platform can transform your charging operations. From optimizing efficiency and reducing costs to enhancing the user experience, our innovative…
🚨 CVE-2026-44622
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
🎖@cveNotify
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
🎖@cveNotify
evokesystems
Smart EV Charging Solutions | Contact Evoke Systems for Expert Assistance
Ready to unlock the power of smart EV charging solutions? Contact Evoke Systems and discover how our cloud-based platform can transform your charging operations. From optimizing efficiency and reducing costs to enhancing the user experience, our innovative…
🚨 CVE-2026-50176
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
🎖@cveNotify
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.
🎖@cveNotify
evokesystems
Smart EV Charging Solutions | Contact Evoke Systems for Expert Assistance
Ready to unlock the power of smart EV charging solutions? Contact Evoke Systems and discover how our cloud-based platform can transform your charging operations. From optimizing efficiency and reducing costs to enhancing the user experience, our innovative…
🚨 CVE-2026-54479
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
🎖@cveNotify
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
🎖@cveNotify
evokesystems
Smart EV Charging Solutions | Contact Evoke Systems for Expert Assistance
Ready to unlock the power of smart EV charging solutions? Contact Evoke Systems and discover how our cloud-based platform can transform your charging operations. From optimizing efficiency and reducing costs to enhancing the user experience, our innovative…
🚨 CVE-2026-55962
TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, but it was also being applied while a post-handshake CertificateRequest was still outstanding. The check is now scoped to the initial handshake only: on the server, once a post-handshake CertificateRequest has been sent (certReqCtx is set), a peer certificate and a valid CertificateVerify are required again before the Finished is accepted, with empty-certificate handling following the configured verify mode (FAIL_IF_NO_PEER_CERT) just as during first-handshake client authentication. Only affects TLS 1.3 servers built with post-handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after the handshake via wolfSSL_request_certificate(). Clients, and servers that do not use post-handshake authentication, are unaffected.
🎖@cveNotify
TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, but it was also being applied while a post-handshake CertificateRequest was still outstanding. The check is now scoped to the initial handshake only: on the server, once a post-handshake CertificateRequest has been sent (certReqCtx is set), a peer certificate and a valid CertificateVerify are required again before the Finished is accepted, with empty-certificate handling following the configured verify mode (FAIL_IF_NO_PEER_CERT) just as during first-handshake client authentication. Only affects TLS 1.3 servers built with post-handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after the handshake via wolfSSL_request_certificate(). Clients, and servers that do not use post-handshake authentication, are unaffected.
🎖@cveNotify
GitHub
Various fixes by Frauschi · Pull Request #10702 · wolfSSL/wolfssl
Hardening and correctness fixes for certificate, TLS, and crypto paths
A set of defensive fixes across several subsystems, each in its own commit with an accompanying regression test:
PKCS7: stric...
A set of defensive fixes across several subsystems, each in its own commit with an accompanying regression test:
PKCS7: stric...
🚨 CVE-2026-6092
When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.
🎖@cveNotify
When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.
🎖@cveNotify
GitHub
Fix ETM on resumption by embhorn · Pull Request #10167 · wolfSSL/wolfssl
Description
Correctly handle non-resumption path for encrypt-then-mac.
Fixes zd21571
Testing
Added test_tls12_etm_failed_resumption
Checklist
added tests
updated/added doxygen
updated appropria...
Correctly handle non-resumption path for encrypt-then-mac.
Fixes zd21571
Testing
Added test_tls12_etm_failed_resumption
Checklist
added tests
updated/added doxygen
updated appropria...
🚨 CVE-2026-6325
Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.
🎖@cveNotify
Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.
🎖@cveNotify
GitHub
SetSuitesHashSigAlgo fix by mattia-moffa · Pull Request #10204 · wolfSSL/wolfssl
Description
Fixes zd#21599
Testing
./configure --enable-opensslextra
make && make check
Fixes zd#21599
Testing
./configure --enable-opensslextra
make && make check
🚨 CVE-2026-6329
PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and allowing a mismatched MAC to be accepted. The PKCS#12 verify path compared the locally computed HMAC against the MAC parsed from the PKCS#12 structure using a length taken directly from the attacker-supplied input, without first verifying that it equals the length of the digest actually produced by the configured algorithm. A truncated or zero-length stored MAC could therefore be accepted, defeating the integrity protection of the MAC.
🎖@cveNotify
PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and allowing a mismatched MAC to be accepted. The PKCS#12 verify path compared the locally computed HMAC against the MAC parsed from the PKCS#12 structure using a length taken directly from the attacker-supplied input, without first verifying that it equals the length of the digest actually produced by the configured algorithm. A truncated or zero-length stored MAC could therefore be accepted, defeating the integrity protection of the MAC.
🎖@cveNotify
GitHub
Various fixes by mattia-moffa · Pull Request #10192 · wolfSSL/wolfssl
Description
Fixes ZD#21457 (27, 30, 31)
Testing
./configure --enable-pkcs12 && make && make check
./configure --host=aarch64-linux-gnu --enable-armasm --enable-mlkem...
Fixes ZD#21457 (27, 30, 31)
Testing
./configure --enable-pkcs12 && make && make check
./configure --host=aarch64-linux-gnu --enable-armasm --enable-mlkem...
🚨 CVE-2026-6330
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.
🎖@cveNotify
The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.
🎖@cveNotify
GitHub
Various fixes by mattia-moffa · Pull Request #10192 · wolfSSL/wolfssl
Description
Fixes ZD#21457 (27, 30, 31)
Testing
./configure --enable-pkcs12 && make && make check
./configure --host=aarch64-linux-gnu --enable-armasm --enable-mlkem...
Fixes ZD#21457 (27, 30, 31)
Testing
./configure --enable-pkcs12 && make && make check
./configure --host=aarch64-linux-gnu --enable-armasm --enable-mlkem...
🚨 CVE-2026-6331
HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or otherwise truncated tag could pass verification. The fix requires the supplied tag length to exactly equal the MAC length and rejects a zero-length MAC, so a forged short or empty tag is no longer accepted.
🎖@cveNotify
HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or otherwise truncated tag could pass verification. The fix requires the supplied tag length to exactly equal the MAC length and rejects a zero-length MAC, so a forged short or empty tag is no longer accepted.
🎖@cveNotify
GitHub
Various fixes by mattia-moffa · Pull Request #10192 · wolfSSL/wolfssl
Description
Fixes ZD#21457 (27, 30, 31)
Testing
./configure --enable-pkcs12 && make && make check
./configure --host=aarch64-linux-gnu --enable-armasm --enable-mlkem...
Fixes ZD#21457 (27, 30, 31)
Testing
./configure --enable-pkcs12 && make && make check
./configure --host=aarch64-linux-gnu --enable-armasm --enable-mlkem...
🚨 CVE-2026-7511
PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.
🎖@cveNotify
PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.
🎖@cveNotify
GitHub
PKCS#7 fixes by Frauschi · Pull Request #10203 · wolfSSL/wolfssl
Fixes for various issues found in PKCS#7 code.
Fixes zd21593, F-2683, F-2684, F-2686, F-1552, F-1990, F-2681, F-2685, F-1991, F-1992, F-2679, F-2680. Also fixes a regression when building with --en...
Fixes zd21593, F-2683, F-2684, F-2686, F-1552, F-1990, F-2681, F-2685, F-1991, F-1992, F-2679, F-2680. Also fixes a regression when building with --en...
🚨 CVE-2026-7532
iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP address constraints.
🎖@cveNotify
iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP address constraints.
🎖@cveNotify
GitHub
Fix IPSAN and registeredID handling by embhorn · Pull Request #10354 · wolfSSL/wolfssl
Description
This PR fixes name-constraint enforcement gaps by ensuring iPAddress and registeredID GeneralNames are always parsed/stored.
Fixes zd21725
Testing
Added element to ConfirmNameConstraint...
This PR fixes name-constraint enforcement gaps by ensuring iPAddress and registeredID GeneralNames are always parsed/stored.
Fixes zd21725
Testing
Added element to ConfirmNameConstraint...
🚨 CVE-2026-8720
wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.
🎖@cveNotify
wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.
🎖@cveNotify
GitHub
Fix Blake2 oversized key path by mattia-moffa · Pull Request #10447 · wolfSSL/wolfssl
Description
Reduce long keys in a separate state rather than reusing the state used for the HMAC inner hash.
Pad the rest of the buffer with zeros as required by the spec.
Add regression tests
Fi...
Reduce long keys in a separate state rather than reusing the state used for the HMAC inner hash.
Pad the rest of the buffer with zeros as required by the spec.
Add regression tests
Fi...
🚨 CVE-2026-9219
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.
🎖@cveNotify
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily enroll watches belonging to other users.
🎖@cveNotify