Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered reflected XSS, no attacker privileges needed, victim must complete login (UI:R), scope changes to Logto origin; no availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0.
AnalysisAI
Reflected XSS in Logto's SAML application flow allows unauthenticated remote attackers to inject and execute arbitrary JavaScript on the Logto tenant origin by supplying a crafted RelayState parameter. Versions prior to 1.41.0 of @logto/core reflect the SAML RelayState, SAMLResponse, and actionUrl directly into an auto-submit HTML form without HTML-attribute escaping, meaning a victim who follows a crafted SAML authentication link and completes the login sequence will execute attacker-controlled script within the identity provider's origin context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The SAML application feature must be configured and active in the Logto instance - this is not a default-on feature for all Logto deployments and requires deliberate administrative setup of a SAML application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) accurately reflects a network-accessible, low-complexity reflected XSS with a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a publicly accessible Logto tenant with SAML federation enabled and discovers (or enumerates) a valid SAML application ID. They construct a malicious URL to /api/saml/:id/authn with a crafted RelayState parameter containing an HTML-attribute-breaking payload (e.g., closing an attribute and injecting an onerror handler), then deliver this link to a target user via phishing email. … |
| Remediation | Upgrade Logto to version 1.41.0 or later, which contains the HTML-attribute escaping fix applied in commit 209fa0a5cbe8522f9cf31873239dc6424099bb5e (PR #9008). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43009