[MEDIUM] Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

PKSA-n72g-8zd8-6dm2 CVE-2026-30964 GHSA-f7pm-6hr8-7ggm

Affected version: >=5.2.0,<5.2.4

Reported by:
GitHub

[MEDIUM] The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames

PKSA-3mms-4n3p-ym65 CVE-2024-39912 GHSA-875x-g8p7-5w27

Affected version: >=4.5.0,<4.9.0

Reported by:
GitHub