[MEDIUM] Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

PKSA-1sct-n8q3-hf7r CVE-2026-30964 GHSA-f7pm-6hr8-7ggm

Affected package: web-auth/webauthn-framework

Affected version: >=5.2.0,<5.2.4

Reported by:
GitHub