{"url":"http://public2.vulnerablecode.io/api/packages/208902?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.6.0","type":"composer","namespace":"simplesamlphp","name":"saml2","version":"1.6.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.17.0","latest_non_vulnerable_version":"4.17.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51994?format=json","vulnerability_id":"VCID-139j-7afy-wyf1","summary":"Improper Input Validation\nRob Richards XmlSecLibs, as used for example by SimpleSAMLphp, performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-3465","reference_id":"","reference_type":"","scores":[{"value":"0.01873","scoring_system":"epss","scoring_elements":"0.83485","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01873","scoring_system":"epss","scoring_elements":"0.83487","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01873","scoring_system":"epss","scoring_elements":"0.8346","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-3465"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml"},{"reference_url":"https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/"},{"reference_url":"https://seclists.org/bugtraq/2019/Nov/8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/Nov/8"},{"reference_url":"https://simplesamlphp.org/security/201911-01","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201911-01"},{"reference_url":"https://www.debian.org/security/2019/dsa-4560","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4560"},{"reference_url":"https://www.tenable.com/security/tns-2019-09","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tenable.com/security/tns-2019-09"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107","reference_id":"944107","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-3465","reference_id":"CVE-2019-3465","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-3465"},{"reference_url":"https://github.com/advisories/GHSA-pqm6-cgwr-x6pf","reference_id":"GHSA-pqm6-cgwr-x6pf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pqm6-cgwr-x6pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53292?format=json","purl":"pkg:composer/simplesamlphp/saml2@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-v3bx-f3um-8ubc"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.0.0"}],"aliases":["CVE-2019-3465","GHSA-pqm6-cgwr-x6pf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-139j-7afy-wyf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56788?format=json","vulnerability_id":"VCID-6c55-4pyx-ckbx","summary":"The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding\nThere's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.\n\nI believe that it exists for v4 only. I have not yet developed a PoC.\n\nV5 is well designed and instead builds the signed query from the same message that will be consumed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27773","reference_id":"","reference_type":"","scores":[{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36263","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36254","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27773"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27773","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27773"},{"reference_url":"https://github.com/simplesamlphp/saml2","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/saml2"},{"reference_url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113"},{"reference_url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595","reference_id":"1100595","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27773","reference_id":"CVE-2025-27773","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27773"},{"reference_url":"https://github.com/advisories/GHSA-46r4-f8gj-xg56","reference_id":"GHSA-46r4-f8gj-xg56","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-46r4-f8gj-xg56"},{"reference_url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56","reference_id":"GHSA-46r4-f8gj-xg56","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84319?format=json","purl":"pkg:composer/simplesamlphp/saml2@4.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@4.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/84320?format=json","purl":"pkg:composer/simplesamlphp/saml2@5.0.0-alpha.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@5.0.0-alpha.20"}],"aliases":["CVE-2025-27773","GHSA-46r4-f8gj-xg56"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6c55-4pyx-ckbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56282?format=json","vulnerability_id":"VCID-8b8r-g7e2-qfb2","summary":"SimpleSAMLphp SAML2 has an XXE in parsing SAML messages\nSummary\n\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52806","reference_id":"","reference_type":"","scores":[{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.39846","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.39843","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52806"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806"},{"reference_url":"https://github.com/simplesamlphp/saml2","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/saml2"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/"}],"url":"https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904","reference_id":"1088904","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52806","reference_id":"CVE-2024-52806","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52806"},{"reference_url":"https://github.com/advisories/GHSA-pxm4-r5ph-q2m2","reference_id":"GHSA-pxm4-r5ph-q2m2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pxm4-r5ph-q2m2"},{"reference_url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2","reference_id":"GHSA-pxm4-r5ph-q2m2","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/"}],"url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83374?format=json","purl":"pkg:composer/simplesamlphp/saml2@4.6.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@4.6.14"}],"aliases":["CVE-2024-52806","GHSA-pxm4-r5ph-q2m2"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8b8r-g7e2-qfb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56285?format=json","vulnerability_id":"VCID-ma9b-k5br-ffhd","summary":"SimpleSAMLphp xml-common XXE vulnerability\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52596","reference_id":"","reference_type":"","scores":[{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44538","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44529","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52596"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52596","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52596"},{"reference_url":"https://github.com/simplesamlphp/xml-common","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/xml-common"},{"reference_url":"https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T18:32:34Z/"}],"url":"https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904","reference_id":"1088904","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52596","reference_id":"CVE-2024-52596","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52596"},{"reference_url":"https://github.com/advisories/GHSA-2x65-fpch-2fcm","reference_id":"GHSA-2x65-fpch-2fcm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2x65-fpch-2fcm"},{"reference_url":"https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm","reference_id":"GHSA-2x65-fpch-2fcm","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T18:32:34Z/"}],"url":"https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83374?format=json","purl":"pkg:composer/simplesamlphp/saml2@4.6.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@4.6.14"}],"aliases":["CVE-2024-52596","GHSA-2x65-fpch-2fcm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ma9b-k5br-ffhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39371?format=json","vulnerability_id":"VCID-ucwf-xdma-h7fc","summary":"Injection Vulnerability\nThe SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6519","reference_id":"","reference_type":"","scores":[{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64851","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64841","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64799","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-6519.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-6519.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6519","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6519"},{"reference_url":"https://simplesamlphp.org/security/201801-01","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201801-01"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54982?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.10.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/54983?format=json","purl":"pkg:composer/simplesamlphp/saml2@2.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-v3bx-f3um-8ubc"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/54984?format=json","purl":"pkg:composer/simplesamlphp/saml2@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.1.1"}],"aliases":["CVE-2018-6519","GHSA-hhm8-2j4g-mpgg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ucwf-xdma-h7fc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39459?format=json","vulnerability_id":"VCID-wbt9-snjj-uuea","summary":"Improper signature validation\nThe `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7644","reference_id":"","reference_type":"","scores":[{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.4391","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43902","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43832","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7644"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7644.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7644.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://simplesamlphp.org/security/201802-01","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201802-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7644","reference_id":"CVE-2018-7644","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7644"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55121?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.10.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/55122?format=json","purl":"pkg:composer/simplesamlphp/saml2@2.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-v3bx-f3um-8ubc"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/55123?format=json","purl":"pkg:composer/simplesamlphp/saml2@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.1.3"}],"aliases":["CVE-2018-7644","GHSA-923w-2xv2-7pr8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbt9-snjj-uuea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39457?format=json","vulnerability_id":"VCID-xx6m-pvgs-puga","summary":"Incorrect signature validation\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7711","reference_id":"","reference_type":"","scores":[{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55374","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55378","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55317","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7711"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7711","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7711"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html"},{"reference_url":"https://simplesamlphp.org/security/201803-01","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201803-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7711","reference_id":"CVE-2018-7711","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7711"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55115?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.10.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.6"},{"url":"http://public2.vulnerablecode.io/api/packages/55116?format=json","purl":"pkg:composer/simplesamlphp/saml2@2.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-v3bx-f3um-8ubc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/55117?format=json","purl":"pkg:composer/simplesamlphp/saml2@3.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.1.4"}],"aliases":["CVE-2018-7711","GHSA-g888-g2pp-82hf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xx6m-pvgs-puga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38481?format=json","vulnerability_id":"VCID-zemd-kbb3-s3cr","summary":"Incorrect signature verification\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9814","reference_id":"","reference_type":"","scores":[{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74827","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74863","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74858","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9814"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2016-9814.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2016-9814.yaml"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c"},{"reference_url":"https://github.com/simplesamlphp/saml2/pull/81","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/simplesamlphp/saml2/pull/81"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9814","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9814"},{"reference_url":"https://simplesamlphp.org/security/201612-01","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201612-01"},{"reference_url":"http://www.securityfocus.com/bid/94730","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/94730"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/152991?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/53294?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.9.1"},{"url":"http://public2.vulnerablecode.io/api/packages/53293?format=json","purl":"pkg:composer/simplesamlphp/saml2@1.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/53295?format=json","purl":"pkg:composer/simplesamlphp/saml2@2.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-v3bx-f3um-8ubc"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.3"}],"aliases":["CVE-2016-9814","GHSA-r8v4-7vwj-983x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zemd-kbb3-s3cr"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.6.0"}