Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 39d19d784fae · 2026-01-21T16:16:15.000Z
GHSA-g8mr-fgfg-5qpc GHSA-hpwg-xg7m-3p6m GHSA-qv7w-v773-3xqm
diff --git a/advisories/github-reviewed/2025/10/GHSA-g8mr-fgfg-5qpc/GHSA-g8mr-fgfg-5qpc.json b/advisories/github-reviewed/2025/10/GHSA-g8mr-fgfg-5qpc/GHSA-g8mr-fgfg-5qpc.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g8mr-fgfg-5qpc",
-  "modified": "2025-10-21T15:09:06Z",
+  "modified": "2026-01-21T16:15:45Z",
   "published": "2025-10-21T15:09:06Z",
   "aliases": [
     "CVE-2025-62595"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62595"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b"
@@ -75,6 +79,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-10-21T15:09:06Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-10-21T17:15:40Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-hpwg-xg7m-3p6m/GHSA-hpwg-xg7m-3p6m.json b/advisories/github-reviewed/2026/01/GHSA-hpwg-xg7m-3p6m/GHSA-hpwg-xg7m-3p6m.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hpwg-xg7m-3p6m",
+  "modified": "2026-01-21T16:13:44Z",
+  "published": "2026-01-21T16:13:44Z",
+  "aliases": [
+    "CVE-2026-23965"
+  ],
+  "summary": "sm-crypto Affected by Signature Forgery in SM2-DSA",
+  "details": "### Summary\n\nA signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements.\n\n### Credit\n\nThis vulnerability was discovered by:\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "sm-crypto"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.4.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/JuneAndGreen/sm-crypto"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T16:13:44Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-qv7w-v773-3xqm/GHSA-qv7w-v773-3xqm.json b/advisories/github-reviewed/2026/01/GHSA-qv7w-v773-3xqm/GHSA-qv7w-v773-3xqm.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qv7w-v773-3xqm",
+  "modified": "2026-01-21T16:13:35Z",
+  "published": "2026-01-21T16:13:35Z",
+  "aliases": [
+    "CVE-2026-23967"
+  ],
+  "summary": "sm-crypto Affected by Signature Malleability in SM2-DSA",
+  "details": "### Summary\n\nA signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library. An attacker can derive a new valid signature for a previously signed message from an existing signature.\n\n### Credit\n\nThis vulnerability was discovered by:\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "sm-crypto"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.3.14"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/JuneAndGreen/sm-crypto"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T16:13:35Z",
+    "nvd_published_at": null
+  }
+}
