VYPR
Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 3, 2026

Apache Syncope: Reflected XSS on Enduser Login

CVE-2026-23794

Description

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-uiMaven
>= 3.0.0, < 3.0.163.0.16
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-uiMaven
>= 4.0.0, < 4.0.44.0.4

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.