Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/simplesamlphp/saml2@1.10.6
purl pkg:composer/simplesamlphp/saml2@1.10.6
Next non-vulnerable version 4.17.0
Latest non-vulnerable version 4.17.0
Risk 4.0
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-139j-7afy-wyf1
Aliases:
CVE-2019-3465
GHSA-pqm6-cgwr-x6pf
Improper Input Validation Rob Richards XmlSecLibs, as used for example by SimpleSAMLphp, performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
2.0.0
Affected by 8 other vulnerabilities.
VCID-6c55-4pyx-ckbx
Aliases:
CVE-2025-27773
GHSA-46r4-f8gj-xg56
The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed.
4.17.0
Affected by 0 other vulnerabilities.
5.0.0-alpha.20
Affected by 0 other vulnerabilities.
VCID-8b8r-g7e2-qfb2
Aliases:
CVE-2024-52806
GHSA-pxm4-r5ph-q2m2
SimpleSAMLphp SAML2 has an XXE in parsing SAML messages Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
4.6.14
Affected by 1 other vulnerability.
VCID-ma9b-k5br-ffhd
Aliases:
CVE-2024-52596
GHSA-2x65-fpch-2fcm
SimpleSAMLphp xml-common XXE vulnerability When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
4.6.14
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-xx6m-pvgs-puga Incorrect signature validation An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. CVE-2018-7711
GHSA-g888-g2pp-82hf

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T05:41:55.276521+00:00 GitLab Importer Affected by VCID-6c55-4pyx-ckbx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2025-27773.yml 38.6.0
2026-06-06T05:33:19.374997+00:00 GitLab Importer Affected by VCID-ma9b-k5br-ffhd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52596.yml 38.6.0
2026-06-06T05:33:02.920016+00:00 GitLab Importer Affected by VCID-8b8r-g7e2-qfb2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52806.yml 38.6.0
2026-06-04T20:25:21.700669+00:00 GitLab Importer Affected by VCID-139j-7afy-wyf1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2019-3465.yml 38.6.0
2026-06-04T17:59:48.962624+00:00 GithubOSV Importer Fixing VCID-xx6m-pvgs-puga https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g888-g2pp-82hf/GHSA-g888-g2pp-82hf.json 38.6.0
2026-06-02T04:37:33.696636+00:00 GitLab Importer Fixing VCID-xx6m-pvgs-puga https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7711.yml 38.6.0