92 matches found
CVE-2026-41003
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
Cross-site Scripting (XSS)
Overview org.springframework.security:spring-security-saml2-service-provider is a security component for the Spring Framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the RelyingPartyRegistration function. An attacker can execute arbitrary scripts in the...
CVE-2026-41003
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
Spring Security 跨站脚本漏洞
VMware Spring Security is a security framework provided by the American company VMware, designed to provide descriptive security protection for Spring-based applications. VMware Spring Security has a cross-site scripting vulnerability, which allows attackers to manipulate values within...
CVE-2026-41003 Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
CVE-2026-41003 Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...
CVE-2026-41003
CVE-2026-41003 affects Spring Security; an attacker who can influence values in RelyingPartyRegistration may be able to execute arbitrary code on HTML forms generated by Spring Security filters. Affected versions include Spring Security 5.7.0–5.7.23, 5.8.0–5.8.25, 6.3.0–6.3.16, 6.4.0–6.4.16, 6.5....
PT-2026-48308
Name of the Vulnerable Software and Affected Versions Spring Security versions 5.7.0 through 5.7.23 Spring Security versions 5.8.0 through 5.8.25 Spring Security versions 6.3.0 through 6.3.16 Spring Security versions 6.4.0 through 6.4.16 Spring Security versions 6.5.0 through 6.5.10 Spring Securi...
GHSA-22W3-693W-X895 webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed
Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...
webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed
Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...
GHSA-F7PM-6HR8-7GGM Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
Summary When allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. Details CheckAllowedOrigins stores each...
YSA-2026-02 | Yubico
A security update is available for the Yubico open-source software project webauthn-server-core to resolve a user impersonation vulnerability. No Yubico hardware is affected. In specific implementations, an attacker that has an existing account with a relying party RP can authenticate as a target...
[SECURITY] Fedora 43 Update: rust-routinator-0.14.2-4.fc43
An RPKI relying party software...
CVE-2026-22694
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...
CVE-2026-22694
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...
PT-2026-2917
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response fo...
CVE-2025-57540
A stored cross-site scripting XSS vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment PVE 8.4. Authenticated users can inject JavaScript code that is later executed in the browsers of users who view the configuration page,...
CVE-2025-57540
A stored cross-site scripting XSS vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment PVE 8.4. Authenticated users can inject JavaScript code that is later executed in the browsers of users who view the configuration page,...
CVE-2025-57540
A stored cross-site scripting XSS vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment PVE 8.4. Authenticated users can inject JavaScript code that is later executed in the browsers of users who view the configuration page,...
CVE-2025-57540
A stored cross-site scripting XSS vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment PVE 8.4. Authenticated users can inject JavaScript code that is later executed in the browsers of users who view the configuration page,...