Security Vulnerability Findings

Finding 01 – High Severity

• Library: robrichards/xmlseclibs
• Installed Version: 3.1.4
• Fixed Version: 3.1.5
• CVE: CVE-2026-32313
• Issue: Missing validation of the AES-GCM authentication tag on encrypted XML nodes. In environments where Zabbix SAML SSO is enabled, this vulnerability may allow attackers to manipulate SAML assertions and potentially bypass authentication controls.

Finding 02 – Low Severity

• Library: symfony/yaml
• Installed Version: 5.1.3
• Fixed Version: 5.4.52
• CVE: CVE-2026-45133
• Issue: The library is vulnerable to stack exhaustion caused by unbounded recursion when processing deeply nested YAML structures, which may lead to application instability.

Finding 03 – Low Severity

• Library: symfony/yaml
• Installed Version: 5.1.3
• Fixed Version: 5.4.52
• CVE: CVE-2026-45304
• Issue: A memory exhaustion vulnerability caused by recursive alias expansion (commonly known as the "Billion Laughs" attack), which can result in excessive resource consumption and denial-of-service conditions.

Finding 04 – Low Severity

• Library: symfony/yaml
• Installed Version: 5.1.3
• Fixed Version: 5.4.52
• CVE: CVE-2026-45305
• Issue: The Parser::cleanup() regular expression is susceptible to catastrophic backtracking, potentially enabling a Regular Expression Denial of Service (ReDoS) attack through specially crafted input.

Recommendation

Upgrade the affected libraries to their respective fixed versions to remediate the identified vulnerabilities and reduce security risks.