Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 3, 2026
Apache Syncope: Reflected XSS on Enduser Login
CVE-2026-23794
Description
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.
This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.
Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-uiMaven | >= 3.0.0, < 3.0.16 | 3.0.16 |
org.apache.syncope.client.idrepo:syncope-client-idrepo-common-uiMaven | >= 4.0.0, < 4.0.4 | 4.0.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v84m-gfw5-hm2wghsaADVISORY
- lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23794ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/02/1ghsaWEB
News mentions
0No linked articles in our index yet.