216.73.216.169

CVE-2026-40070

· Published 09/04/2026 18:17 · Modified 09/04/2026 18:17

Labels: CVE-2026-40070 2026-04-09CVE-2026-40070CWE-347[email protected]

Essential information

Published
09/04/2026 18:17
Modified
09/04/2026 18:17
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
bsv / ruby sdk cpe:2.3:a:bsv:ruby_sdk:0.3.1-0.8.1:*:*:*:*:*:*:*

References