{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23794", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-16T09:38:02.393Z", "datePublished": "2026-02-03T15:15:24.310Z", "dateUpdated": "2026-02-03T16:01:22.030Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui", "product": "Apache Syncope", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.0.15", "status": "affected", "version": "3.0", "versionType": "semver"}, {"lessThanOrEqual": "4.0.3", "status": "affected", "version": "4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kasper Karlsson"}, {"lang": "en", "type": "finder", "value": "Karin Taliga"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Reflected XSS in Apache Syncope's Enduser Login page.<br>An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.</p><p>This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.</p><p>Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.</p>"}], "value": "Reflected XSS in Apache Syncope's Enduser Login page.\nAn attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.\n\nThis issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.\n\nUsers are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-03T15:15:24.310Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Syncope: Reflected XSS on Enduser Login", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/02/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-03T15:19:10.034Z"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T16:01:19.601825Z", "id": "CVE-2026-23794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:01:22.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/02/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-03T15:19:10.034Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T16:01:19.601825Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:01:12.931Z"}}], "cna": {"title": "Apache Syncope: Reflected XSS on Enduser Login", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kasper Karlsson"}, {"lang": "en", "type": "finder", "value": "Karin Taliga"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Syncope", "versions": [{"status": "affected", "version": "3.0", "versionType": "semver", "lessThanOrEqual": "3.0.15"}, {"status": "affected", "version": "4.0", "versionType": "semver", "lessThanOrEqual": "4.0.3"}], "packageName": "org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Reflected XSS in Apache Syncope's Enduser Login page.\nAn attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.\n\nThis issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.\n\nUsers are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Reflected XSS in Apache Syncope's Enduser Login page.<br>An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.</p><p>This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.</p><p>Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-03T15:15:24.310Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23794", "state": "PUBLISHED", "dateUpdated": "2026-02-03T16:01:22.030Z", "dateReserved": "2026-01-16T09:38:02.393Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-03T15:15:24.310Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "matchCriteriaId": "E48D90FB-E49B-4FD5-B184-3049D3087635", "versionEndExcluding": "3.0.16", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "matchCriteriaId": "877C8861-D17C-4BBE-A0C0-E3FDACB7CF9C", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Reflected XSS in Apache Syncope's Enduser Login page.\nAn attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.\n\nThis issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.\n\nUsers are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue."}], "id": "CVE-2026-23794", "lastModified": "2026-02-06T14:44:43.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T16:16:13.183", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/02/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@apache.org", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:14:36.601478+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Syncope to version 3.0.16 or later, or 4.0.4 or later, which includes the upstream fix for the reflected XSS issue.", "Where possible, disable or replace the standard Enduser login path with a token\u2011based or two\u2011factor flow to reduce the attack surface for credential theft.", "Deploy a web application firewall or input\u2011validation rule set to detect and block XSS payloads that might be injected into the Enduser login URL temporarily while awaiting the patch."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected products are Apache Syncope from the Apache Software Foundation. Versions 3.0 through 3.0.15 and 4.0 through 4.0.3 are vulnerable, while versions 3.0.16, 4.0.4 and later contain the fix.", "description_and_impact": "Apache Syncope\u2019s Enduser Login page contains a reflected cross\u2011site scripting flaw that allows an attacker to embed script code into the login form\u2019s URL and cause it to execute in a victim\u2019s browser. The flaw does not require authentication, but the attacker must convince a legitimate user to click a crafted link and perform a login action.\n\nThe impact is that an attacker can steal the authenticated user\u2019s session cookie or other credentials that the user enters during login, thereby compromising the user\u2019s account and potentially the entire Syncope deployment.\n\nBased on the description, the attack vector is a social\u2011engineering approach where a user clicks a malicious URL that triggers the reflection. The CVSS score of 6.8 indicates moderate severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild today. The vulnerability is not yet listed in CISA\u2019s Known Exploited Vulnerabilities catalog, reducing the immediacy of any large\u2011scale exploitation risk.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability requires a user to click a malicious URL, so it is a social\u2011engineering risk. Although it is not listed in CISA\u2019s KEV catalog, the potential to steal credentials warrants timely patching."}}}}, "created": "2026-02-04T12:08:58.814980+00:00", "updated": "2026-04-18T14:15:04.140483+00:00", "vendors": ["apache", "apache$PRODUCT$syncope"]}