PatchSiren

ZenHive CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ZenHive CVE published 2026-07-17

CVE-2026-59695

CVE-2026-59695 is a vulnerability in ZenHive's mpp library that allows an unauthenticated remote client to drain the fee-payer wallet by naming an arbitrarily high gas price. The vulnerability is caused by the improper validation of specified quantity in input in the mpp library. When the library is configured as a fee payer, it re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim, [truncated]

HIGH ZenHive CVE published 2026-07-17

CVE-2026-59694

CVE-2026-59694 is a vulnerability in ZenHive's mpp library, which allows an unauthenticated remote client to inflate the fee-payer's gas cost per payment by a large multiplier, degrading the sponsor's operating margin. The vulnerability occurs when the mpp Elixir library is configured as a fee payer and re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 [truncated]

HIGH ZenHive CVE published 2026-07-17

CVE-2026-59252

CVE-2026-59252 is an Improper Validation of Specified Quantity in Input vulnerability in ZenHive mpp that allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. The vulnerability affects mpp versions from 0.2.0 before 0.6.0. The issue arises when the mpp Elixir library is configured as a fee payer and does not validate the client-suppl [truncated]