CVE-2026-9090

Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted...

CVE-2026-9098

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP...

CVE-2026-9095

Casdoor CVE-2026-9095 affects versions 2.362.0 and earlier. The ParseSamlResponse() in object/saml_sp.go maps retrieved SAML assertions directly to user sessions without replay protection, lacking an assertion ID cache, OneTimeUse enforcement, or replay detection in the SAML SP code path. This en...

CVE-2026-9090 CVE-2026-9090

Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted...

CVE-2026-41670 Admidio: SAML Response Sent to Unvalidated Assertion Consumer Service URL from AuthnRequest

Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the...

CVE-2026-2603

CVE-2026-2603 affects Keycloak: an attacker can bypass security by sending a valid SAML response from an external IdP to the Keycloak SAML endpoint for IdP-initiated broker logins, enabling unauthorized authentication. The issue is described across multiple sources (NVD/EUVD/GHSA) with a CVSS v3....

CVE-2018-21263

An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account via a crafted SAML response...

VulnCheck KEV: CVE-2025-59718

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14,...

CVE-2025-59719

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message...

EUVD-2025-202191

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message...

CVE-2025-59719

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message...

CVE-2025-59719

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message...

CVE-2025-59718

CVE-2025-59718/59719 describe an improper verification of cryptographic signatures that allows an unauthenticated attacker to bypass Fortinet FortiCloud SSO login via a crafted SAML response. Affected products span FortiOS (multiple versions up to 7.6.3, and earlier lines listed), FortiProxy, For...

lasso: Type confusion in Entr'ouvert Lasso

A type confusion vulnerability exists in the lassonodeimplinitfromxml functionality of Entr'ouvert Lasso 2.8.2 and prior. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability...

Critical: lasso

Issue Overview: A denial of service vulnerability exists in the lassoproviderverifysamlsignature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. CVE-2025-4640...

SUSE CVE-2025-46705

A denial of service vulnerability exists in the gassertnotreached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability...

SUSE CVE-2025-46784

A denial of service vulnerability exists in the lassonodeinitfrommessagewithformat functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerabili...

SUSE CVE-2025-47151

A type confusion vulnerability exists in the lassonodeimplinitfromxml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability...

CVE-2025-46705

A denial of service vulnerability exists in the gassertnotreached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability. Mitigation Mitigation fo...

CVE-2025-46784

A denial of service vulnerability exists in the lassonodeinitfrommessagewithformat functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this...