CVE-2026-33506

HIGH

DOM-Based XSS in Ory Polis Login Page

Title source: cna

Description

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.

References (2)

[X_Refsource_Confirm] https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22

[X_Refsource_Misc] https://github.com/ory/polis/releases/tag/v26.2.0

Scores

CVSS v3 8.8

EPSS 0.0008

EPSS Percentile 22.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601 CWE-87

Status published

Products (1)

ory/polis < 26.2.0 (2 CPE variants)

Published Mar 26, 2026

Tracked Since Mar 27, 2026