CVE-2026-23795

MEDIUM

Apache Syncope <3.0.15/<4.0.3 - XML External Entity Reference

Title source: llm

Description

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

References (2)

[Mailing List, Third Party Advisory] https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2026/02/02/2

Scores

CVSS v3 4.9

EPSS 0.0010

EPSS Percentile 27.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (2)

apache/syncope 3.0.0 - 3.0.16

org.apache.syncope.client.idrepo/syncope-client-idrepo-console 3.0.0 - 3.0.16Maven

Published Feb 03, 2026

Tracked Since Feb 18, 2026