{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49786?format=json","vulnerability_id":"VCID-ycz9-vn64-b7fj","summary":"sm-crypto Affected by Private Key Recovery in SM2-PKE\nA private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions.","aliases":[{"alias":"CVE-2026-23966"},{"alias":"GHSA-pgx9-497m-6c4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73518?format=json","purl":"pkg:npm/sm-crypto@0.3.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/sm-crypto@0.3.14"}],"affected_packages":[],"references":[{"reference_url":"https://github.com/JuneAndGreen/sm-crypto","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/JuneAndGreen/sm-crypto"},{"reference_url":"https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23966","reference_id":"CVE-2026-23966","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23966"},{"reference_url":"https://github.com/advisories/GHSA-pgx9-497m-6c4v","reference_id":"GHSA-pgx9-497m-6c4v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pgx9-497m-6c4v"},{"reference_url":"https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v","reference_id":"GHSA-pgx9-497m-6c4v","reference_type":"","scores":[],"url":"https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v"}],"weaknesses":[{"cwe_id":345,"name":"Insufficient Verification of Data Authenticity","description":"The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ycz9-vn64-b7fj"}