CVE-2026-23794
published 2026-02-03CVE-2026-23794: Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope…
medium6.8CVSS 3.1
AVNACLPRLUIRSCCHINAN
Reflected XSS in Apache Syncope's Enduser Login page.
An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.
This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.
Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | syncope | >= 3.0.0 < 3.0.16 | 3.0.16 |
| apache | syncope | >= 4.0.0 < 4.0.4 | 4.0.4 |
| apache_software_foundation | apache_syncope | 3.0 – 3.0.15 | — |
| apache_software_foundation | apache_syncope | 4.0 – 4.0.3 | — |