PT-2026-55454 · Packagist · Simplesamlphp/Saml2+1

Publicado

2026-07-02

·

Atualizado

2026-07-02

·

CVE-2026-49289

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms).

Impact

An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.

Correção

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-49289
GHSA-5CJR-MXJ5-WMRX

Produtos afetados

Simplesamlphp/Saml2
Simplesamlphp/Saml2-Legacy