Search criteria
12 vulnerabilities by Casdoor
CVE-2026-9098 (GCVE-0-2026-9098)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:31 – Updated: 2026-05-28 16:31
VLAI
Title
CVE-2026-9098
Summary
In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-346 Origin Validation Error",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:31:42.767Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9098",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9098"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9098",
"datePublished": "2026-05-28T16:31:42.767Z",
"dateReserved": "2026-05-20T15:05:20.584Z",
"dateUpdated": "2026-05-28T16:31:42.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9097 (GCVE-0-2026-9097)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:29 – Updated: 2026-05-28 16:29
VLAI
Title
CVE-2026-9097
Summary
Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:29:06.752Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9097",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9097"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9097",
"datePublished": "2026-05-28T16:29:06.752Z",
"dateReserved": "2026-05-20T15:05:12.699Z",
"dateUpdated": "2026-05-28T16:29:06.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9096 (GCVE-0-2026-9096)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:27 – Updated: 2026-05-28 16:27
VLAI
Title
CVE-2026-9096
Summary
Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:27:15.206Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9096",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9096"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9096",
"datePublished": "2026-05-28T16:27:15.206Z",
"dateReserved": "2026-05-20T15:05:04.383Z",
"dateUpdated": "2026-05-28T16:27:15.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9095 (GCVE-0-2026-9095)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:25 – Updated: 2026-05-28 17:07
VLAI
Title
CVE-2026-9095
Summary
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
Severity
8.1 (High)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T17:07:35.384837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:07:58.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion\u2019s subject, including administrator accounts, without needing the user\u2019s password or MFA credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:25:17.364Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9095",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9095"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9095",
"datePublished": "2026-05-28T16:25:17.364Z",
"dateReserved": "2026-05-20T15:04:41.651Z",
"dateUpdated": "2026-05-28T17:07:58.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9094 (GCVE-0-2026-9094)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:25 – Updated: 2026-05-28 16:25
VLAI
Title
CVE-2026-9094
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token\u0027s user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:25:09.055Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9094",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9094"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9094",
"datePublished": "2026-05-28T16:25:09.055Z",
"dateReserved": "2026-05-20T15:04:30.259Z",
"dateUpdated": "2026-05-28T16:25:09.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9093 (GCVE-0-2026-9093)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:21 – Updated: 2026-05-28 16:21
VLAI
Title
CVE-2026-9093
Summary
In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-863 Incorrect Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:21:50.192Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9093",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9093"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9093",
"datePublished": "2026-05-28T16:21:50.192Z",
"dateReserved": "2026-05-20T15:04:21.545Z",
"dateUpdated": "2026-05-28T16:21:50.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9092 (GCVE-0-2026-9092)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:20 – Updated: 2026-05-28 16:20
VLAI
Title
CVE-2026-9092
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:20:45.547Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9092",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9092"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9092",
"datePublished": "2026-05-28T16:20:45.547Z",
"dateReserved": "2026-05-20T15:04:14.204Z",
"dateUpdated": "2026-05-28T16:20:45.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9091 (GCVE-0-2026-9091)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:19 – Updated: 2026-05-29 19:01
VLAI
Title
CVE-2026-9091
Summary
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement.
Severity
5.3 (Medium)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:01:45.674578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:01:52.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a logic flaw in the social\u2011login binding flow that allows users to bypass configured MFA requirements. The binding\u2011rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:19:39.239Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9091",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9091"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9091",
"datePublished": "2026-05-28T16:19:39.239Z",
"dateReserved": "2026-05-20T15:04:03.933Z",
"dateUpdated": "2026-05-29T19:01:52.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9090 (GCVE-0-2026-9090)
Vulnerability from cvelistv5 – Published: 2026-05-28 16:17 – Updated: 2026-05-29 19:41
VLAI
Title
CVE-2026-9090
Summary
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key.
Severity
9.1 (Critical)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/780781 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:41:15.349183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:41:34.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "2.362.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T16:17:21.953Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-9090",
"x_generator": {
"engine": "VINCE 3.0.41",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-9090"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-9090",
"datePublished": "2026-05-28T16:17:21.953Z",
"dateReserved": "2026-05-20T15:03:52.700Z",
"dateUpdated": "2026-05-29T19:41:34.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6815 (GCVE-0-2026-6815)
Vulnerability from cvelistv5 – Published: 2026-05-11 15:20 – Updated: 2026-05-13 12:33
VLAI
Title
CVE-2026-6815
Summary
An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox.
Severity
5.9 (Medium)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/937808 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-11T16:53:24.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/937808"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:32:45.925471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:33:15.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Casdoor",
"vendor": "Casdoor",
"versions": [
{
"lessThanOrEqual": "v2.328.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file write vulnerability exists in Casdoor\u0027s Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application\u0027s intended storage sandbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:20:25.606Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/937808"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-6815",
"x_generator": {
"engine": "VINCE 3.0.39",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6815"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-6815",
"datePublished": "2026-05-11T15:20:25.606Z",
"dateReserved": "2026-04-21T18:50:35.842Z",
"dateUpdated": "2026-05-13T12:33:15.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41658 (GCVE-0-2024-41658)
Vulnerability from cvelistv5 – Published: 2024-08-20 20:11 – Updated: 2024-08-21 13:42
VLAI
Title
GHSL-2024-036: Reflected XSS in QrCodePage.js
Summary
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_CONFIRM |
| https://github.com/casdoor/casdoor/blob/v1.577.0/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:casbin:casdoor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "casdoor",
"vendor": "casbin",
"versions": [
{
"lessThanOrEqual": "1.577.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41658",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:26:30.901885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T13:42:37.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "casdoor",
"vendor": "casdoor",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.577.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T20:11:33.751Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor/"
},
{
"name": "https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js"
}
],
"source": {
"advisory": "GHSA-gv2p-4mvg-g32h",
"discovery": "UNKNOWN"
},
"title": "GHSL-2024-036: Reflected XSS in QrCodePage.js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41658",
"datePublished": "2024-08-20T20:11:33.751Z",
"dateReserved": "2024-07-18T15:21:47.482Z",
"dateUpdated": "2024-08-21T13:42:37.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41657 (GCVE-0-2024-41657)
Vulnerability from cvelistv5 – Published: 2024-08-20 20:11 – Updated: 2024-08-20 20:54
VLAI
Title
GHSL-2024-035: Casdoor CORS misconfiguration
Summary
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.
Severity
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_CONFIRM |
| https://github.com/casdoor/casdoor/blob/v1.577.0/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:casbin:casdoor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "casdoor",
"vendor": "casbin",
"versions": [
{
"lessThanOrEqual": "1.577.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41657",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T20:53:11.068829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T20:54:45.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "casdoor",
"vendor": "casdoor",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.577.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T20:11:29.788Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor/"
},
{
"name": "https://github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45"
}
],
"source": {
"advisory": "GHSA-mchx-7j67-8mcf",
"discovery": "UNKNOWN"
},
"title": "GHSL-2024-035: Casdoor CORS misconfiguration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41657",
"datePublished": "2024-08-20T20:11:29.788Z",
"dateReserved": "2024-07-18T15:21:47.482Z",
"dateUpdated": "2024-08-20T20:54:45.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}