Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-8b8r-g7e2-qfb2
Vulnerability ID VCID-8b8r-g7e2-qfb2
Aliases CVE-2024-52806
GHSA-pxm4-r5ph-q2m2
Summary SimpleSAMLphp SAML2 has an XXE in parsing SAML messages Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-611 Improper Restriction of XML External Entity Reference
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00183 https://api.first.org/data/v1/epss?cve=CVE-2024-52806
cvssv3.1 8.3 https://github.com/simplesamlphp/saml2
cvssv4 6.9 https://github.com/simplesamlphp/saml2
generic_textual MODERATE https://github.com/simplesamlphp/saml2
cvssv3.1 8.3 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
cvssv4 6.9 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
generic_textual MODERATE https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
ssvc Track https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
cvssv3.1 8.3 https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
cvssv4 6.9 https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
generic_textual MODERATE https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
ssvc Track https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
cvssv3.1 8.3 https://nvd.nist.gov/vuln/detail/CVE-2024-52806
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2024-52806
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-52806
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-52806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806
https://github.com/simplesamlphp/saml2
https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
1088904 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904
CVE-2024-52806 https://nvd.nist.gov/vuln/detail/CVE-2024-52806
GHSA-pxm4-r5ph-q2m2 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/simplesamlphp/saml2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Found at https://github.com/simplesamlphp/saml2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Found at https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/ Found at https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Found at https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/ Found at https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-52806
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-52806
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.39843
EPSS Score 0.00183
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:22:44.416281+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52806.yml 38.6.0