{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33487", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.971Z", "datePublished": "2026-03-26T17:17:51.101Z", "dateUpdated": "2026-03-30T11:16:34.970Z"}, "containers": {"cna": {"title": "goxmldsig has validateSignature Loop Variable Capture Signature Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-682", "lang": "en", "description": "CWE-682: Incorrect Calculation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc"}], "affected": [{"vendor": "russellhaering", "product": "goxmldsig", "versions": [{"version": "< 1.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:17:51.101Z"}, "descriptions": [{"lang": "en", "value": "goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch."}], "source": {"advisory": "GHSA-479m-364c-43vc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:16:13.379400Z", "id": "CVE-2026-33487", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:16:34.970Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33487", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:16:13.379400Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:16:27.338Z"}}], "cna": {"title": "goxmldsig has validateSignature Loop Variable Capture Signature Bypass", "source": {"advisory": "GHSA-479m-364c-43vc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "russellhaering", "product": "goxmldsig", "versions": [{"status": "affected", "version": "< 1.6.0"}]}], "references": [{"url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc", "name": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-682", "description": "CWE-682: Incorrect Calculation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:17:51.101Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33487", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:16:34.970Z", "dateReserved": "2026-03-20T16:16:48.971Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:17:51.101Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goxmldsig_project:goxmldsig:*:*:*:*:*:*:*:*", "matchCriteriaId": "F33DF651-C3B7-47BB-85EF-3D044F20608B", "versionEndExcluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch."}, {"lang": "es", "value": "goxmlsig proporciona Firmas Digitales XML implementadas en Go. Antes de la versi\u00f3n 1.6.0, la funci\u00f3n 'validateSignature' en 'validate.go' recorre las referencias en el bloque 'SignedInfo' para encontrar una que coincida con el ID del elemento firmado. En versiones de Go anteriores a la 1.22, o cuando 'go.mod' utiliza una versi\u00f3n anterior, existe un problema de captura de variable de bucle. El c\u00f3digo toma la direcci\u00f3n de la variable de bucle '_ref' en lugar de su valor. Como resultado, si m\u00e1s de una referencia coincide con el ID o si la l\u00f3gica del bucle es incorrecta, el puntero 'ref' siempre terminar\u00e1 apuntando al \u00faltimo elemento en el slice 'SignedInfo.References' despu\u00e9s del bucle. goxmlsig versi\u00f3n 1.6.0 contiene un parche."}], "id": "CVE-2026-33487", "lastModified": "2026-04-20T14:15:08.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T18:16:30.070", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}, {"lang": "en", "value": "CWE-682"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/russellhaering/goxmldsig: goxmlsig: Integrity bypass due to incorrect XML Digital Signature validation via loop variable capture issue", "id": "2451814", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451814"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-347", "details": ["goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.", "A flaw was found in goxmlsig, a Go library for XML Digital Signatures. This vulnerability arises from a programming error, specifically a loop variable capture issue, within the `validateSignature` function. When processing XML Digital Signatures, this error can cause the system to incorrectly validate the signature, potentially allowing an attacker to bypass integrity checks. This issue affects Go versions before 1.22 or projects using older `go.mod` configurations."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33487", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2026-03-26T17:17:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33487\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33487\nhttps://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goxmldsig", "source": "cna", "vendor": "russellhaering"}, "product": "goxmldsig", "vendor": "russellhaering"}], "analysis": {"en": {"generated_at": "2026-03-26T18:22:35.682102+00:00", "value": {"mitigation_remediation": ["Upgrade goxmldsig to version 1.6.0 or later.", "If upgrading is not feasible, restrict or validate XML input to ensure only legitimate signed elements are processed.", "Verify that applications using the library have not been exposed to untrusted XML sources and consider implementing additional input validation."], "summary": {"action": "Immediate Patch", "impact": "Signature Bypass"}, "threat_synthesis": {"affected_systems": "Affected software includes the goxmldsig library distributed by russellhaering, versions prior to 1.6.0. Any application using this library to process XML signatures is susceptible.", "description_and_impact": "The loop variable capture flaw in goxmldsig's validateSignature function causes the internal reference pointer to reference the last element in the SignedInfo.References slice, regardless of matches. This allows crafted XML documents to bypass signature verification, enabling an attacker to alter the signed content while still passing validation.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 7.5 and has not been marked as commonly exploited. It is not listed in the KEV catalog and no exploit probability score is available. Likely exploitation requires the attacker to supply manipulated XML to a system that relies on goxmldsig for signature validation, such as an HTTP service or an XML processing pipeline."}}}}, "created": "2026-03-27T08:33:32.091369+00:00", "updated": "2026-03-27T09:25:56.438132+00:00", "vendors": ["russellhaering", "russellhaering$PRODUCT$goxmldsig"]}