Russellhaering Goxmldsig vulnerabilities

CVE-2026-33487 [HIGH] CWE-347 CVE-2026-33487: goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSig goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The cod

CVE-2020-15216 [MEDIUM] CWE-347 CVE-2020-15216: In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version