All 4 CVE vulnerabilities found in logto, with AI-generated Chinese analysis, references, and POCs.
Vendor: logto-io
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-55377 | Logto: Account Center MFA management step-up bypass via WebAuthn registration verification CWE-287 | 8.1 | High | 2026-07-10 |
| CVE-2026-55370 | Logto: TOTP code can be replayed within the RFC 6238 validity window (one-time use violation) CWE-294 | 6.4 | Medium | 2026-07-10 |
| CVE-2026-55789 | Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers CWE-91 | 8.5 | High | 2026-07-10 |
| CVE-2026-54714 | Logto: XSS via unescaped RelayState in SAML auto-submit form CWE-79 | 6.1 | Medium | 2026-07-10 |
All 4 known CVE vulnerabilities affecting logto with full Chinese analysis, references, and POCs where available.