CVE-2026-33895
Forge has signature forgery in Ed25519 due to missing S > L checkForge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
We have discovered 514 live websites that are affected by CVE-2026-33895.
Affected Software
| Product |  node-forge |
| Category | JavaScript Libraries |
| Vulnerable Domains | 514 live websites (100% of node-forge install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 5 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-347 Improper Verification of Cryptographic SignatureDetails
- Published - Mar 27, 2026
- Updated - Mar 31, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-33895 United States | 357 websites |
 China | 39 websites |
 Germany | 17 websites |
 Netherlands | 12 websites |
 Italy | 9 websites |
 GB | 8 websites |
 Hong Kong | 7 websites |
 Poland | 6 websites |
 Brazil | 6 websites |
 Canada | 5 websites |
Website Distribution by TLD
Number of websites using CVE-2026-33895| .com | 287 websites |
| .cn | 36 websites |
| .de | 16 websites |
| .nl | 13 websites |
| .it | 11 websites |
| .org | 11 websites |
| .net | 9 websites |
| .co | 8 websites |
| .io | 7 websites |
| .pl | 7 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-33895
Top websites that are affected by CVE-2026-33895. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | **,*** | |
| *******.com | GB | **,*** | |
| *********.com | United States | ***,*** | |
| *******.com | United States | ***,*** | |
| ******.com | United States | ***,*** | |
| ********.com | United States | ***,*** | |
| *******.com | United States | ***,*** | |
| ************.com | Hong Kong | ***,*** | |
| *************.com | United States | ***,*** | |
| *******.co | United States | ***,*** |
FAQ
CVE-2026-33895 is Improper Verification of Cryptographic Signature in node-forge
A total of 514 websites have been identified as vulnerable to CVE-2026-33895, based on global website indexing conducted by WebTechSurvey.
The node-forge is affected by the CVE-2026-33895 vulnerability.
node-forge versions up to 1.4 are vulnerable to CVE-2026-33895.
CVE-2026-33895 is resolved in version 1.4 of node-forge.