JLSEC-2026-368

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-368.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-368.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2026-368
Upstream
  • EUVD-2026-7584
  • GHSA-jprc-mg35-68jq
Published
2026-04-30T19:30:31.295Z
Modified
2026-04-30T20:02:31.957659753Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function...
Details

A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mgchacha20poly1305decrypt of the file /src/tlschacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Database specific 
{
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-2968",
            "database_specific": {
                "status": "Analyzed"
            },
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2968",
            "modified": "2026-04-29T01:00:01.613Z",
            "id": "CVE-2026-2968",
            "imported": "2026-04-30T18:54:47.770Z",
            "published": "2026-02-23T04:16:02.283Z"
        },
        {
            "url": "https://api.github.com/advisories/GHSA-jprc-mg35-68jq",
            "html_url": "https://github.com/advisories/GHSA-jprc-mg35-68jq",
            "modified": "2026-02-23T06:30:24Z",
            "id": "GHSA-jprc-mg35-68jq",
            "imported": "2026-04-30T18:55:10.501Z",
            "published": "2026-02-23T06:30:18Z"
        },
        {
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-7584",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-7584",
            "modified": "2026-02-23T17:26:53Z",
            "id": "EUVD-2026-7584",
            "imported": "2026-04-30T18:55:03.376Z",
            "published": "2026-02-23T03:02:07Z"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / Mongoose_jll

Package

Name
Mongoose_jll
Purl
pkg:julia/Mongoose_jll?uuid=0a8a3f5b-4c0e-5906-8e29-5b3fee15539c

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.21.0+0

Database specific

source 
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-368.json"