Количество 6
Количество 6
CVE-2026-33896
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
CVE-2026-33896
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
CVE-2026-33896
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
CVE-2026-33896
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
CVE-2026-33896
Forge (also called `node-forge`) is a native implementation of Transpo ...
GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2026-33896 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue. | CVSS3: 7.4 | 0% Низкий | 16 дней назад |
 | CVE-2026-33896 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue. | CVSS3: 7.4 | 0% Низкий | 16 дней назад |
 | CVE-2026-33896 Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue. | CVSS3: 7.4 | 0% Низкий | 16 дней назад |
 | CVE-2026-33896 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) | 0% Низкий | 11 дней назад | |
| CVE-2026-33896 Forge (also called `node-forge`) is a native implementation of Transpo ... | CVSS3: 7.4 | 0% Низкий | 16 дней назад |
| GHSA-2328-f5f3-gj25 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) | CVSS3: 7.4 | 0% Низкий | 17 дней назад |
Уязвимостей на страницу