[MEDIUM] Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

PKSA-1sct-n8q3-hf7r CVE-2026-30964 GHSA-f7pm-6hr8-7ggm

Affected version: >=5.2.0,<5.2.4

Reported by:
GitHub

[MEDIUM] The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

PKSA-sjrk-y37x-n2ck CVE-2024-39912 GHSA-875x-g8p7-5w27

Affected version: >=4.5.0,<4.9.0

Reported by:
GitHub

[CRITICAL] Improper Access Control in Webauthn Framework

PKSA-tgdf-n8gt-ty6f CVE-2021-38299 GHSA-6whf-q6p5-84wg

Affected version: >=3.3.0,<3.3.4

Reported by:
GitHub