CVE-2025-40934CRITICAL 9.3EPSS p3.5%

CVE-2025-40934CVE-2025-40934

Description

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files.  An unsigned XML file should return an error message.  The affected versions return true when attempting to validate an XML file that contains no signatures.

Scoring

CVSS 3.19.3 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
EPSS0.14% probability of exploitation · percentile 3.5% · 2026-06-19T12:03:05Z
Published2025-11-26
Last modified2025-12-30

Underlying weaknesses· 1

CWE-347

References

  1. https://github.com/perl-net-saml2/perl-XML-Sig/issues/63
  2. https://github.com/perl-net-saml2/perl-XML-Sig/pull/64

1

TypeTargetConfidenceTier
WeaknessImproper Verification of Cryptographic Signaturecwe-3470%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32600
CVE
CVE-2025-49796
CVE
CVE-2025-66568
CVE
CVE-2025-49794
CVE
CVE-2025-49795
CVE
CVE-2025-66567
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.