CVE-2026-9096

CVE-2026-9096 affects Casdoor

Casdoor 安全漏洞

Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor prior to 2.362.0 contained a security vulnerability. This vulnerability stemmed from the lack of enforcement of SAML assertion time ranges. The gosaml2...

GO-2026-4760 CBC Padding Panic — Unauthenticated Process Crash in github.com/russellhaering/gosaml2

CBC Padding Panic — Unauthenticated Process Crash in github.com/russellhaering/gosaml2...

GO-2026-4764 Unsigned SAML LogoutRequest Acceptance in gosaml2 in github.com/russellhaering/gosaml2

Unsigned SAML LogoutRequest Acceptance in gosaml2 in github.com/russellhaering/gosaml2...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the ValidateEncodedLogoutRequestPOST function. An attacker can terminate arbitrary user sessions by sending a forged, unsigned SAML LogoutRequest to the Single Logout endpoint, even...

GHSA-PCGW-QCV5-H8CH Unsigned SAML LogoutRequest Acceptance in gosaml2

Summary The ValidateEncodedLogoutRequestPOST function in gosaml2 accepts completely unsigned SAML LogoutRequest messages even when SkipSignatureValidation is set to false. When validateElementSignature returns dsig.ErrMissingSignature, the code in decodelogoutrequest.go:60-62 silently falls throu...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index via the DecryptBytes function. An attacker can cause the process or goroutine to crash by sending a crafted AES-CBC encrypted assertion with a plaintext of all zero bytes, which triggers a panic due to...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index via the DecryptBytes function. An attacker can cause the process or goroutine to crash by sending a crafted AES-CBC encrypted assertion with a plaintext of all zero bytes, which triggers a panic due to...

GHSA-HWQM-QVJ9-4JR2 gosaml2 CBC Padding Panic — Unauthenticated Process Crash

Summary The AES-CBC decryption path in DecryptBytes panics on crafted ciphertext whose plaintext is all zero bytes. After decryption, bytes.TrimRightdata, "\x00" empties the slice, then datalendata-1 panics with index out of range -1. There is no recover in the library. The panic propagates throu...

gosaml2 CBC Padding Panic — Unauthenticated Process Crash

Summary The AES-CBC decryption path in DecryptBytes panics on crafted ciphertext whose plaintext is all zero bytes. After decryption, bytes.TrimRightdata, "\x00" empties the slice, then datalendata-1 panics with index out of range -1. There is no recover in the library. The panic propagates throu...

EUVD-2023-0904

Malicious code in bioql PyPI...

CVE-2023-26483

A flaw was found in the gosaml2 package library. This issue may allow attackers to craft a deflate-compressed request, which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed...

Denial Of Service (DoS)

github.com/russellhaering/gosaml2 is vulnerable to Denial Of Service DoS. The vulnerability exists because the library does not limit the maximum compression ratio achievable with deflate, possibly allowing an attacker to cause the process to crash by sending maliciously crafted deflate-compress...

Design/Logic Flaw

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a deflate-compressed request which will consume significantly more memor...

CVE-2023-26483

CVE-2023-26483 affects the Go library gosaml2 (SAML 2.0 implementation). A bug allows attackers to craft a deflate-compressed request that can consume memory far beyond the original size, potentially causing memory exhaustion and process termination (a deflate decompression bomb). The maximal obs...

CVE-2023-26483 gosaml2 vulnerable to Denial of Service via deflate decompression bomb

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a deflate-compressed request which will consume significantly more memor...

CVE-2023-26483 gosaml2 vulnerable to Denial of Service via deflate decompression bomb

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a deflate-compressed request which will consume significantly more memor...

CVE-2023-26483 gosaml2 vulnerable to Denial of Service via deflate decompression bomb

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a deflate-compressed request which will consume significantly more memor...

GO-2023-1602 Denial of service via deflate decompression bomb in github.com/russellhaering/gosaml2

A bug in SAML authentication library can result in Denial of Service attacks. Attackers can craft a "deflate"-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process bein...

gosaml2 安全漏洞

gosaml2 is a software application. It provides a SAML 2.0 implementation of a service provider's functionality based on etree and goxmldsig a Go implementation of pure XML digital signatures. A security vulnerability exists in gosaml2, which stems from the fact that a much larger amount of memory...