Skip to main content

Syncope CVE-2026-23794

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-02-03 security@apache.org GHSA-v84m-gfw5-hm2w
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 03, 2026 - 16:16 nvd
MEDIUM 6.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 maven packages depend on org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui (5 direct, 9 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

AnalysisAI

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Syncope. Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

RemediationAI

Update to version 3.0.16 or later. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2018-1321 HIGH POC
7.2 Mar 20

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and un

CVE-2020-1961 CRITICAL
9.8 May 04

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1

CVE-2020-1959 CRITICAL
9.8 May 04

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary

CVE-2018-1322 MEDIUM POC
4.9 Mar 20

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupporte

CVE-2020-11977 HIGH
7.2 Sep 15

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow

CVE-2018-17186 HIGH
7.2 Nov 06

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not li

CVE-2014-0111 MEDIUM
6.5 Apr 17

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via

CVE-2024-45031 MEDIUM
6.1 Oct 24

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated mediu

CVE-2024-38503 MEDIUM
5.4 Jul 22

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could le

CVE-2018-17184 MEDIUM
5.4 Nov 06

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements

CVE-2014-3503 MEDIUM
5.0 Jul 11

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attack

CVE-2026-23795 MEDIUM
4.9 Feb 03

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Share

CVE-2026-23794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy