PYSEC-2026-1448

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/hdwallet/PYSEC-2026-1448.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1448
Aliases
Published
2026-07-07T16:03:14.550291Z
Modified
2026-07-07T17:47:42.257167506Z
Severity
  • 4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
libsodium has Incomplete List of Disallowed Inputs
Details

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

This advisoory lists packages in the GitHub Advisory Database's supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.

References

Affected packages

PyPI / hdwallet

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.1

Affected versions

0.*
0.1.0a1
0.1.0
0.1.1
0.2.0
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
2.*
2.0.0a1
2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
3.*
3.0.0
3.0.1
3.1.0b1
3.1.0b2
3.1.0
3.2.0
3.2.1
3.2.3
3.3.0
3.4.0
3.5.1
3.6.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/hdwallet/PYSEC-2026-1448.yaml"