From 3284ec9d5e634c88d17f6c83b61a5b1a1d271ca5 Mon Sep 17 00:00:00 2001 From: sampion88 Date: Thu, 5 Mar 2026 10:53:02 +0100 Subject: [PATCH 1/3] new vulnerability in keycloak-services --- input/new.json | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/input/new.json b/input/new.json index 87646b9a..1761f2d4 100644 --- a/input/new.json +++ b/input/new.json @@ -1,15 +1,25 @@ { - "package_name": "", - "patch_versions": [], - "vulnerable_ranges": [], - "cwe": [], - "tldr": "", - "doest_this_affect_me": "", - "how_to_fix": "", - "vulnerable_to": "", - "related_cve_id": "", - "language": "", - "severity_class": "", - "aikido_score": 0, - "changelog": "" + "package_name": "keycloak-services", + "org_name": "org.keycloak", + "patch_versions": [ + "26.5.3" + ], + "vulnerable_ranges": [ + [ + "0.0.1", + "26.5.2" + ] + ], + "cwe": [ + "CWE-112" + ], + "tldr": "Affected versions of this package are vulnerable to improper validation of SAML assertions. When configured as a client in a Security Assertion Markup Language (SAML) setup, the application does not validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData` element. This allows an attacker to reuse or delay the expiration of SAML responses, potentially extending the period during which a response is considered valid and leading to unintended session durations or resource consumption.", + "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.", + "how_to_fix": "Upgrade the `org.keycloak:keycloak-services` library to a patch version.", + "vulnerable_to": "Missing XML Validation", + "related_cve_id": "CVE-2026-11902", + "language": "java", + "severity_class": "LOW", + "aikido_score": 31, + "changelog": "https://github.com/keycloak/keycloak/releases/tag/26.5.4" } From 0c5111cb901187355b551f395d32b945b8c3ac0a Mon Sep 17 00:00:00 2001 From: sampion88 Date: Thu, 5 Mar 2026 10:54:16 +0100 Subject: [PATCH 2/3] new vulnerability in keycloak-services --- input/new.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/input/new.json b/input/new.json index 1761f2d4..4ecb207b 100644 --- a/input/new.json +++ b/input/new.json @@ -2,12 +2,12 @@ "package_name": "keycloak-services", "org_name": "org.keycloak", "patch_versions": [ - "26.5.3" + "26.5.4" ], "vulnerable_ranges": [ [ "0.0.1", - "26.5.2" + "26.5.3" ] ], "cwe": [ From d1a51b43c946c4c617cc9b46ba425ac3285901c1 Mon Sep 17 00:00:00 2001 From: sampion88 <36301168+sampion88@users.noreply.github.com> Date: Thu, 5 Mar 2026 11:06:07 +0100 Subject: [PATCH 3/3] Update new.json --- input/new.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/input/new.json b/input/new.json index 4ecb207b..8649ad0e 100644 --- a/input/new.json +++ b/input/new.json @@ -17,7 +17,7 @@ "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.", "how_to_fix": "Upgrade the `org.keycloak:keycloak-services` library to a patch version.", "vulnerable_to": "Missing XML Validation", - "related_cve_id": "CVE-2026-11902", + "related_cve_id": "CVE-2026-1190", "language": "java", "severity_class": "LOW", "aikido_score": 31,