Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/bsv-sdk@0.8.2
purl pkg:gem/bsv-sdk@0.8.2
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-p7zx-msf7-b7d8
Aliases:
CVE-2026-40069
GHSA-9hfr-gw99-8rhx
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2. There are no reported fixed by versions.
VCID-yq7q-r59b-tyh9
Aliases:
CVE-2026-40070
GHSA-hc36-c89j-5f4j
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate. There are no reported fixed by versions.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-p7zx-msf7-b7d8 BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2. CVE-2026-40069
GHSA-9hfr-gw99-8rhx
VCID-yq7q-r59b-tyh9 BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate. CVE-2026-40070
GHSA-hc36-c89j-5f4j

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-13T09:28:45.350107+00:00 Ruby Importer Affected by VCID-p7zx-msf7-b7d8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40069.yml 38.6.0
2026-06-13T09:28:45.299346+00:00 Ruby Importer Fixing VCID-p7zx-msf7-b7d8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40069.yml 38.6.0
2026-06-13T09:28:45.190304+00:00 Ruby Importer Affected by VCID-yq7q-r59b-tyh9 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40070.yml 38.6.0
2026-06-13T09:28:45.154098+00:00 Ruby Importer Fixing VCID-yq7q-r59b-tyh9 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40070.yml 38.6.0
2026-06-13T06:28:55.285060+00:00 GHSA Importer Fixing VCID-p7zx-msf7-b7d8 https://github.com/advisories/GHSA-9hfr-gw99-8rhx 38.6.0
2026-06-13T06:28:55.234111+00:00 GHSA Importer Fixing VCID-yq7q-r59b-tyh9 https://github.com/advisories/GHSA-hc36-c89j-5f4j 38.6.0
2026-06-12T21:58:43.357758+00:00 GitLab Importer Fixing VCID-yq7q-r59b-tyh9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/bsv-sdk/CVE-2026-40070.yml 38.6.0
2026-06-12T21:57:54.686153+00:00 GitLab Importer Fixing VCID-p7zx-msf7-b7d8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/bsv-sdk/CVE-2026-40069.yml 38.6.0
2026-06-12T07:45:54.799322+00:00 GithubOSV Importer Fixing VCID-p7zx-msf7-b7d8 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9hfr-gw99-8rhx/GHSA-9hfr-gw99-8rhx.json 38.6.0
2026-06-12T07:45:26.157543+00:00 GithubOSV Importer Fixing VCID-yq7q-r59b-tyh9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hc36-c89j-5f4j/GHSA-hc36-c89j-5f4j.json 38.6.0