Skip to main content

Apache Syncope

1 CVEs product

Monthly

CVE-2026-42797 Maven MEDIUM PATCH This Month

Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.

Information Disclosure Apache Apache Syncope
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.

Information Disclosure Apache Apache Syncope
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy