Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Lifecycle Timeline
7DescriptionGitHub Advisory
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (callbackUrl), which is passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
AnalysisAI
DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.
Technical ContextAI
Ory Polis is a SAML login flow bridge that proxies authentication to OAuth 2.0 or OpenID Connect protocols. The vulnerability stems from CWE-87 (Improper Neutralization of Alternate XSS Syntax), where the application fails to validate or sanitize the callbackUrl parameter before passing it to router.push for client-side navigation. This DOM-based XSS occurs entirely in the browser context without server-side validation, allowing injection of javascript: URIs or other malicious payloads. The affected product per CPE is cpe:2.3:a:ory:polis:*:*:*:*:*:*:*:*, encompassing all versions prior to the patched release.
RemediationAI
Upgrade Ory Polis to version 26.2.0 or later, which contains the vendor-released patch addressing this DOM-based XSS vulnerability (release details at https://github.com/ory/polis/releases/tag/v26.2.0). Until patching is completed, implement defense-in-depth measures including Content Security Policy headers that restrict script-src to 'self' and disable unsafe-inline, configure URL validation middleware to whitelist permitted callback domains, and educate users to verify login URLs match expected organizational domains before entering credentials. Review authentication logs for anomalous callbackUrl patterns that may indicate exploitation attempts. Consult the GitHub security advisory at https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22 for complete remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16320