junrangao

2 exploits Active since Jan 2026

CVE-2026-23965 WRITEUP HIGH WRITEUP

sm-crypto <0.4.0 - Signature Forgery

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.

CVSS 7.5

View Code

CVE-2026-23966 WRITEUP CRITICAL WRITEUP

sm-crypto <0.3.14 - Private Key Recovery

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue.

CVSS 9.1

View Code