CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49289

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-02
Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms). Impact An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.

⚡ Watch CVE-2026-49289

Get an email if CVE-2026-49289 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49289

CVE.org record

Embed the live status

CVE-2026-49289 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49289 status](https://www.csirts.com/badge/CVE-2026-49289)](https://www.csirts.com/cve/CVE-2026-49289)