github.com/russellhaering/goxmldsig

Go5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting github.com/russellhaering/goxmldsigpage 1 of 1

CVE-2020-15216MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.1.0
2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available…
CVE-2020-26290CRITICALCVSS 9.3EG 9.3✓ Fixed in 1.1.0
2020-12-28
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due…
CVE-2020-7711HIGHCVSS 7.5EG 7.5✓ Fixed in 1.1.1
2020-08-23
This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.
CVE-2020-7731HIGHCVSS 7.5EG 7.5✓ Fixed in 1.1.1
2021-04-30
This affects all versions <0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures.
CVE-2026-33487HIGHCVSS 7.5EG 7.5✓ Fixed in 1.6.0
2026-03-26
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. I…

Check whether github.com/russellhaering/goxmldsig is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/russellhaering/goxmldsig CVEs against the assets you own.

Start Free Scan →