Lemonldap Ng Lemonldap Ng

  1. Vendors
  2. Lemonldap Ng

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Lemonldap Ng product.

RSS Feeds for Lemonldap Ng security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Lemonldap Ng products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Lemonldap Ng Sorted by Most Security Vulnerabilities since 2018

Lemonldap Ng Lemonldap11 vulnerabilities

Lemonldap Ng Apache2 vulnerabilities

Lemonldap Ng2 vulnerabilities

By the Year

In 2026 there have been 1 vulnerability in Lemonldap Ng with an average score of 7.2 out of ten. Last year, in 2025 Lemonldap Ng had 1 security vulnerability published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Lemonldap Ng in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.80




Year Vulnerabilities Average Score
2026 1 7.20
2025 1 8.00
2024 2 7.45
2023 6 7.67
2022 2 9.80
2021 1 8.80
2020 0 0.00
2019 3 9.80

It may take a day or so for new Lemonldap Ng vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Lemonldap Ng Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-31510 Jan 16, 2026
LemonLDAP::NG XSS via tab param (pre 2.21.0) on login page In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication.
CVE-2025-59518 Sep 17, 2025
LemonLDAP::NG OS Command Injection in Safe Jail (v<2.16.7, <2.21.3) In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server.
CVE-2024-52946 Nov 18, 2024
LemonLDAP::NG <2.20.1 Session Refresh Auth Escalation via Adaptative Rule An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Check during session refresh allows an authenticated user to raise their authentication level if the admin configured an "Adaptative authentication rule" with an increment instead of an absolute value.
Lemonldap Ng
CVE-2024-48933 Oct 09, 2024
LemonLDAP::NG 2.19.2 XSS via username on login page A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.
Lemonldap
Lemonldap Ng
CVE-2023-44469 Sep 29, 2023
SSRF in LemonLDAP::NG OIDC Issuer <2.17.1 via request_uri A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
Lemonldap
CVE-2019-19791 May 29, 2023
Unauthorized access to SOAP/REST endpoints in LemonLDAP::NG <2.0.7 via Apache config In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.
Lemonldap
CVE-2022-37186 Apr 16, 2023
LemonLDAP::NG <2.0.15 Session Timeout Deletion Failure (CVE202237186) In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.
Lemonldap
CVE-2023-28862 Mar 31, 2023
Weak Session ID in AuthBasic (<2.16.1) LemonLDAP::NG An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
Lemonldap
CVE-2020-36659 Jan 27, 2023
Apache::Session::Browseable <1.3.6 LDAP Cert Validity Bypass In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Apache
CVE-2020-36658 Jan 27, 2023
Apache::Session::LDAP <0.5: Unchecked X.509 Cert in LDAP Connections In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Apache
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.