CVE-2026-31839
HIGH
CVSS 8.2
No EPSS data
Description
Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-31839",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 8.2,
"attackVector": "LOCAL",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"integrityImpact": "HIGH",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.8,
"exploitabilityScore": 1.8
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 7.5,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "NONE"
},
"impactScore": 3.6,
"exploitabilityScore": 3.9
}
]
},
"published": "2026-03-11T17:16:58.270",
"references": [
{
"url": "https://github.com/striae-org/striae/releases/tag/v3.0.0",
"tags": [
"Release Notes"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m",
"tags": [
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-354"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0."
},
{
"lang": "es",
"value": "Striae es un compa\u00f1ero de comparaci\u00f3n para examinadores de armas de fuego. Exist\u00eda una vulnerabilidad de omisi\u00f3n de integridad de alta gravedad en el flujo de trabajo de confirmaci\u00f3n digital de Striae antes de la v3.0.0. La validaci\u00f3n solo por hash confiaba en los campos de hash del manifiesto que pod\u00edan ser modificados junto con el contenido del paquete, permitiendo que los paquetes de confirmaci\u00f3n manipulados pasaran las comprobaciones de integridad. Esta vulnerabilidad est\u00e1 corregida en la 3.0.0."
}
],
"lastModified": "2026-03-20T16:56:55.217",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:striae:striae:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "3DECC8C8-51C3-472E-B292-6800B86701C3",
"versionEndIncluding": "3.0.0",
"versionStartIncluding": "0.9.22"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}