CVE-2021-20323

MEDIUM NUCLEI

Keycloak < 17.0.0 - Reflected Cross-Site Scripting via POST Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-20323. PoCs published by ndmalc, Cappricio-Securities, cscpwn0sec. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2021-20323, a reflected XSS vulnerability in Keycloak's clients-registrations endpoint. It includes curl commands to trigger the bug and Docker configurations to test vulnerable and patched versions.

Description

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

Exploits (3)

nomisec WORKING POC 13 stars
by ndmalc · poc
https://github.com/ndmalc/CVE-2021-20323

This repository provides a functional proof-of-concept for CVE-2021-20323, a reflected XSS vulnerability in Keycloak's clients-registrations endpoint. It includes curl commands to trigger the bug and Docker configurations to test vulnerable and patched versions.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Keycloak versions before 18.0.0
No auth needed
Prerequisites: Access to the Keycloak clients-registrations endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 2 stars
by Cappricio-Securities · poc
https://github.com/Cappricio-Securities/CVE-2021-20323

This repository contains a Python-based scanner for detecting CVE-2021-20323, an XSS vulnerability. The tool checks for the presence of the vulnerability by sending crafted requests and analyzing responses, but it does not include exploit code for weaponization.

Classification
Scanner 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Unknown (scanner targets web applications)
No auth needed
Prerequisites: Python 3 · requests library · target URL or list of URLs
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER
by cscpwn0sec · poc
https://github.com/cscpwn0sec/CVE-2021-20323

This repository contains a scanner for detecting CVE-2021-20323, an XSS vulnerability in Keycloak. It tests endpoints for vulnerability by sending a crafted payload and checking the response for specific error messages.

Classification
Scanner 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Keycloak
No auth needed
Prerequisites: Network access to the target Keycloak instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting
MEDIUMVERIFIEDby ndmalc,incogbyte
Shodan: html:"Keycloak" || http.title:"keycloak" || http.html:"keycloak" || http.favicon.hash:-1105083093
FOFA: title="keycloak" || icon_hash=-1105083093 || body="keycloak"

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2013577

Scores

CVSS v3 6.1
EPSS 0.6605
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
org.keycloak/keycloak-core 15.0.0 - 17.0.0Maven
redhat/keycloak < 17.0.0
Published Mar 25, 2022
Tracked Since Feb 18, 2026