VulnerableCode Package Details - pkg:composer/web-auth/webauthn-framework@3.2.9

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/web-auth/webauthn-framework@3.2.9

purl	pkg:composer/web-auth/webauthn-framework@3.2.9

Next non-vulnerable version	5.2.4
Latest non-vulnerable version	5.3.1
Risk	3.1

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-c1sf-wwmg-cqch Aliases: CVE-2026-30964 GHSA-f7pm-6hr8-7ggm	Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation When `allowed_origins` is configured, `CheckAllowedOrigins` reduces URL-like values to their `host` and accepts on host match. This makes exact origin policies impossible to express: scheme and port differences are lost for URL-like entries.	5.2.4 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-cxgw-9jk7-n7es	Incorrect Authorization Webauthn Framework has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.	CVE-2021-38299 GHSA-6whf-q6p5-84wg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:17:42.701910+00:00	GitLab Importer	Affected by	VCID-c1sf-wwmg-cqch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/web-auth/webauthn-framework/CVE-2026-30964.yml	38.6.0
2026-06-02T04:40:05.619040+00:00	GitLab Importer	Fixing	VCID-cxgw-9jk7-n7es	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/web-auth/webauthn-framework/CVE-2021-38299.yml	38.6.0