CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-5cjr-mxj5-wmrx: SimpleSAMLphp has Possible DoS via XPath Transform

highCVSS 7.5CVE-2026-49289
Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms). Impact An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.5
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-5cjr-mxj5-wmrx

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49289coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories