PatchSiren

TIMLEGGE CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL TIMLEGGE CVE published 2026-06-15

CVE-2026-12205

A vulnerability was discovered in Crypt::DSA versions before 1.21 for Perl, where the nonce was reused across signatures, allowing for private-key recovery. This is due to the caching of per-signature nonce material in the Key object without clearing it. As a result, keys used to sign more than once with an affected version should be considered compromised.

MEDIUM TIMLEGGE CVE published 2026-05-15

CVE-2026-8704

Crypt::DSA versions through 1.19 for Perl use a two-argument form of the open() function, which can allow existing files to be modified when the module handles DSA key files. The two-argument open is susceptible to shell metacharacter injection in the filename argument, potentially enabling an attacker to redirect output to arbitrary files or modify existing files if untrusted input is passed as a filenam [truncated]

HIGH TIMLEGGE CVE published 2026-05-15

CVE-2026-8700

Crypt::DSA versions before 1.20 for Perl generate cryptographic seeds using Perl's built-in `rand` function, which is not cryptographically secure. This weakness allows attackers who can observe or predict the seed values to potentially compromise DSA key generation, leading to reduced confidentiality, integrity, and availability of cryptographic operations. The vulnerability was addressed in version 1.20 [truncated]