Packagist (Composer) package
web-auth/webauthn-framework
pkg:composer/web-auth/webauthn-framework
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30964 | Med | 5.4 | >= 5.2.0, < 5.2.4 | 5.2.4 | Mar 10, 2026 | web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their h | |
| CVE-2024-39912 | Med | 5.3 | >= 4.5.0, < 4.9.0 | 4.9.0 | Jul 15, 2024 | web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no user | |
| CVE-2021-38299 | — | >= 3.3.0, < 3.3.4 | 3.3.4 | Sep 27, 2021 | Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence. |
- affected >= 5.2.0, < 5.2.4fixed 5.2.4
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their h
- affected >= 4.5.0, < 4.9.0fixed 4.9.0
web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no user
- CVE-2021-38299Sep 27, 2021affected >= 3.3.0, < 3.3.4fixed 3.3.4
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.