CVE-2026-9648

CRITICAL 9.1

CVE-2026-9648

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope.

Vendor	haskell programming language
Product	crypton-certificate
Published	Jun 11, 2026
Last Updated	Jun 11, 2026

Stay Ahead of the Next One

Get instant alerts for haskell programming language crypton-certificate

Be the first to know when new critical vulnerabilities affecting haskell programming language crypton-certificate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Haskell Programming Language / crypton-certificate

0 < 1.9.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kazu-yamamoto/crypton-certificate/pull/30 github.com: https://github.com/kazu-yamamoto/crypton-certificate/pull/30/changes/f4b77edf6ead77f4a886da40e41eab20f0180e39 hackage.haskell.org: https://hackage.haskell.org/package/crypton-x509-validation-1.9.1/revisions/ github.com: https://github.com/haskell/security-advisories/pull/332 kb.cert.org: https://www.kb.cert.org/vuls/id/862559