VYPR
Medium severity5.4NVD Advisory· Published Mar 10, 2026· Updated May 7, 2026

CVE-2026-30964

CVE-2026-30964

Description

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. This vulnerability is fixed in 5.2.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
web-auth/webauthn-frameworkPackagist
>= 5.2.0, < 5.2.45.2.4
web-auth/webauthn-libPackagist
>= 5.2.0, < 5.2.45.2.4
web-auth/webauthn-symfony-bundlePackagist
>= 5.2.0, < 5.2.45.2.4

Affected products

15

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.