CVE-2026-33487: validateSignature Loop Variable Capture Signature Bypass in goxmldsig

March 18, 2026 (updated March 20, 2026)

This vulnerability lets an attacker get around integrity checks for certain signed elements by replacing their content with the content from another element that is also referenced in the same signature.

References

github.com/advisories/GHSA-479m-364c-43vc
github.com/russellhaering/goxmldsig
github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc
nvd.nist.gov/vuln/detail/CVE-2026-33487

Code Behaviors & Features

Detect and mitigate CVE-2026-33487 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →