CVE-2026-23795

MEDIUM

Apache Syncope <3.0.15/<4.0.3 - XML External Entity Reference

Title source: llm

Description

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

References (2)

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2026/02/02/2

Scores

CVSS v3 4.9

EPSS 0.0010

EPSS Percentile 26.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-611

Status published

Affected Products (2)

apache/syncope < 3.0.16

org.apache.syncope.client.idrepo/syncope-client-idrepo-console < 3.0.16Maven

Timeline

Published Feb 03, 2026

Tracked Since Feb 18, 2026