CVE-2026-23794

MEDIUM

Apache Syncope <3.0.15/<4.0.3 - XSS

Title source: llm

Description

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

References (2)

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2026/02/02/1

Scores

CVSS v3 6.8

EPSS 0.0003

EPSS Percentile 9.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

apache/syncope < 3.0.16

org.apache.syncope.client.idrepo/syncope-client-idrepo-common-ui < 3.0.16Maven

Timeline

Published Feb 03, 2026

Tracked Since Feb 18, 2026