Skip to main content

Lemonldap Ng

1 CVEs product

Monthly

CVE-2026-12804 LOW Monitor

Open redirect in LemonLDAP::NG versions up to and including 2.23.0 allows unauthenticated remote attackers to manipulate the `url` argument within the SAML Common Domain Cookie (CDC) endpoint, causing authenticated SSO users to be silently forwarded to arbitrary attacker-controlled domains. The SSO context makes this particularly high-consequence for phishing: victims trust the identity provider's domain, lowering suspicion of the crafted redirect URL. Publicly available exploit code exists (CVSS 4.0 E:P); no vendor patch has been confirmed, as the vendor was unresponsive to responsible disclosure by VulDB.

Open Redirect Lemonldap Ng
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW Monitor

Open redirect in LemonLDAP::NG versions up to and including 2.23.0 allows unauthenticated remote attackers to manipulate the `url` argument within the SAML Common Domain Cookie (CDC) endpoint, causing authenticated SSO users to be silently forwarded to arbitrary attacker-controlled domains. The SSO context makes this particularly high-consequence for phishing: victims trust the identity provider's domain, lowering suspicion of the crafted redirect URL. Publicly available exploit code exists (CVSS 4.0 E:P); no vendor patch has been confirmed, as the vendor was unresponsive to responsible disclosure by VulDB.

Open Redirect Lemonldap Ng
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy