CVE-2026-23794

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.8MEDIUM

EPSS

0.0%

top 88.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Syncope Apache Software Foundation Apache Syncope

Timeline

PublishedFeb 3

Description

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages3 packages

▶NVDapache/syncope3.0.0 — 3.0.16+1

▶Mavenorg.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui3.0.0 — 3.0.16+1

▶CVEListV5apache_software_foundation/apache_syncope3.0 — 3.0.15+1

🔴Vulnerability Details

GHSA

Apache Syncope: Reflected XSS on Enduser Login↗2026-02-03

▶

OSV

Apache Syncope: Reflected XSS on Enduser Login↗2026-02-03

▶

CVEList

Apache Syncope: Reflected XSS on Enduser Login↗2026-02-03

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23794 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶