Description
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/02/02/1
Scores
CVSS v3
6.8
EPSS
0.0004
EPSS Percentile
11.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
apache/syncope
3.0.0 - 3.0.16
org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui
3.0.0 - 3.0.16Maven
Published
Feb 03, 2026
Tracked Since
Feb 18, 2026