Skip to main content

Polis CVE-2026-33506

| EUVDEUVD-2026-16320 HIGH
Improper Neutralization of Alternate XSS Syntax (CWE-87)
2026-03-26 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 19:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:13 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
26.2.0
EUVD ID Assigned
Mar 26, 2026 - 19:16 euvd
EUVD-2026-16320
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 18:48 nvd
HIGH 8.8

DescriptionGitHub Advisory

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (callbackUrl), which is passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.

AnalysisAI

DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.

Technical ContextAI

Ory Polis is a SAML login flow bridge that proxies authentication to OAuth 2.0 or OpenID Connect protocols. The vulnerability stems from CWE-87 (Improper Neutralization of Alternate XSS Syntax), where the application fails to validate or sanitize the callbackUrl parameter before passing it to router.push for client-side navigation. This DOM-based XSS occurs entirely in the browser context without server-side validation, allowing injection of javascript: URIs or other malicious payloads. The affected product per CPE is cpe:2.3:a:ory:polis:*:*:*:*:*:*:*:*, encompassing all versions prior to the patched release.

RemediationAI

Upgrade Ory Polis to version 26.2.0 or later, which contains the vendor-released patch addressing this DOM-based XSS vulnerability (release details at https://github.com/ory/polis/releases/tag/v26.2.0). Until patching is completed, implement defense-in-depth measures including Content Security Policy headers that restrict script-src to 'self' and disable unsafe-inline, configure URL validation middleware to whitelist permitted callback domains, and educate users to verify login URLs match expected organizational domains before entering credentials. Review authentication logs for anomalous callbackUrl patterns that may indicate exploitation attempts. Consult the GitHub security advisory at https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22 for complete remediation guidance.

Share

CVE-2026-33506 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy