CVE-2026-33487

Name of the Vulnerable Software and Affected Versions goxmlsig versions prior to 1.6.0 goxmlsig versions prior to 1.22 (when using older Go versions or go.mod versions)

Description The validateSignature function in validate.go has a loop variable capture issue in Go versions before 1.22, or when go.mod uses an older version. The code takes the address of the loop variable ref instead of its value, causing the ref pointer to always point to the last element in the SignedInfo.References slice after the loop. This allows an attacker to bypass integrity checks for certain signed elements by replacing their content with the content from another element referenced in the same signature. The issue stems from the code taking the address of a loop iteration variable, which is reused throughout the loop, leading to pointer aliasing. A proof-of-concept (PoC) demonstrates that altering the first element to match the second produces a valid signature.

Recommendations Update to goxmlsig version 1.6.0 or later. For Go versions prior to 1.22, or when go.mod uses an older version, modify the loop in validate.go to capture the value of ref correctly or use the index to reference the slice directly.