CVE-2026-49289
SimpleSAMLphp has Possible DoS via XPath Transform
Description
## Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms). ## Impact An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.
How to fix CVE-2026-49289
To remediate CVE-2026-49289, upgrade the affected package to a fixed version below.
- —upgrade to 4.20.3 or later
- —upgrade to 4.20.3 or later
Is CVE-2026-49289 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49289.
Affected packages (2)
- from 0, < 4.20.3
- from 0, < 4.20.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |