Skip to main content

Logto EUVDEUVD-2026-43009

| CVE-2026-54714 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 security-advisories@github.com
6.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS, no attacker privileges needed, victim must complete login (UI:R), scope changes to Logto origin; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:36 vuln.today

DescriptionCVE.org

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute escaping. A SAML application flow with a crafted RelayState from GET or POST /api/saml/:id/authn could inject script that runs on the Logto tenant origin after the user completes login. This issue is fixed in version 1.41.0.

AnalysisAI

Reflected XSS in Logto's SAML application flow allows unauthenticated remote attackers to inject and execute arbitrary JavaScript on the Logto tenant origin by supplying a crafted RelayState parameter. Versions prior to 1.41.0 of @logto/core reflect the SAML RelayState, SAMLResponse, and actionUrl directly into an auto-submit HTML form without HTML-attribute escaping, meaning a victim who follows a crafted SAML authentication link and completes the login sequence will execute attacker-controlled script within the identity provider's origin context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Logto tenant with SAML app enabled
Delivery
Enumerate valid SAML application ID
Exploit
Craft malicious RelayState payload in /api/saml/:id/authn URL
Install
Deliver link to victim via phishing
C2
Victim completes SAML login flow
Execute
Injected script executes on Logto tenant origin
Impact
Harvest session tokens or OIDC credentials

Vulnerability AssessmentAI

Exploitation The SAML application feature must be configured and active in the Logto instance - this is not a default-on feature for all Logto deployments and requires deliberate administrative setup of a SAML application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) accurately reflects a network-accessible, low-complexity reflected XSS with a scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a publicly accessible Logto tenant with SAML federation enabled and discovers (or enumerates) a valid SAML application ID. They construct a malicious URL to /api/saml/:id/authn with a crafted RelayState parameter containing an HTML-attribute-breaking payload (e.g., closing an attribute and injecting an onerror handler), then deliver this link to a target user via phishing email. …
Remediation Upgrade Logto to version 1.41.0 or later, which contains the HTML-attribute escaping fix applied in commit 209fa0a5cbe8522f9cf31873239dc6424099bb5e (PR #9008). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy