oss-security - CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <216d53c2-a071-3960-0ac0-ca7e659b1c6a@apache.org>
Date: Mon, 02 Feb 2026 11:51:33 +0000
From: Francesco Chicchiriccò <ilgrosso@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login 

Severity: important 

Affected versions:

- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui) 3.0 through 3.0.15
- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui) 4.0 through 4.0.3

Description:

Reflected XSS in Apache Syncope's Enduser Login page.
An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

Credit:

Kasper Karlsson (finder)
Karin Taliga (finder)

References:

https://syncope.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-23794

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.