CVE-2022-1274

MEDIUM

Keycloak < 20.0.5 - Cross-Site Scripting via Execute-Actions-Email Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-1274. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-1274, a vulnerability in Keycloak. The exploit appears to involve authentication bypass or improper access control, as indicated by the presence of authentication-related adapter code and configuration scripts.

Description

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

Exploits (1)

nomisec WORKING POC
by shoucheng3 · poc
https://github.com/shoucheng3/keycloak__keycloak_CVE-2022-1274_20-0-3

This repository contains a proof-of-concept exploit for CVE-2022-1274, a vulnerability in Keycloak. The exploit appears to involve authentication bypass or improper access control, as indicated by the presence of authentication-related adapter code and configuration scripts.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Keycloak (version 20.0.3 or earlier)
No auth needed
Prerequisites: Access to a vulnerable Keycloak instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0099
EPSS Percentile 77.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-80 CWE-79
Status published
Products (6)
org.keycloak/keycloak-services 0 - 20.0.5Maven
redhat/keycloak < 20.0.5
redhat/openshift_container_platform 4.9
redhat/openshift_container_platform 4.10
redhat/single_sign-on
redhat/single_sign-on 7.6 - 7.6.2
Published Mar 29, 2023
Tracked Since Feb 18, 2026