Skip to main content

Syncope CVE-2026-23795

MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-02-03 security@apache.org GHSA-73f3-rqqf-2j54
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 03, 2026 - 16:16 nvd
MEDIUM 4.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.syncope.client.idrepo:syncope-client-idrepo-console (5 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

AnalysisAI

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Technical ContextAI

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) affects Syncope. Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

RemediationAI

Update to version 3.0.16 or later. Restrict network access to the affected service where possible.

CVE-2018-1321 HIGH POC
7.2 Mar 20

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and un

CVE-2020-1961 CRITICAL
9.8 May 04

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1

CVE-2020-1959 CRITICAL
9.8 May 04

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary

CVE-2018-1322 MEDIUM POC
4.9 Mar 20

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupporte

CVE-2020-11977 HIGH
7.2 Sep 15

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow

CVE-2018-17186 HIGH
7.2 Nov 06

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not li

CVE-2026-23794 MEDIUM
6.8 Feb 03

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a maliciou

CVE-2014-0111 MEDIUM
6.5 Apr 17

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via

CVE-2024-45031 MEDIUM
6.1 Oct 24

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated mediu

CVE-2024-38503 MEDIUM
5.4 Jul 22

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could le

CVE-2018-17184 MEDIUM
5.4 Nov 06

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements

CVE-2014-3503 MEDIUM
5.0 Jul 11

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attack

Share

CVE-2026-23795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy