CVE-2026-23795XML External Entity (XXE) Injection in Apache Syncope

CWE-611XML External Entity (XXE) Injection5 documents5 sources
Severity
4.9MEDIUMNVD
EPSS
0.1%
top 72.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SyncopeApache Software Foundation Apache Syncope
Timeline
PublishedFeb 3

Description

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDapache/syncope3.0.03.0.16+1
CVEListV5apache_software_foundation/apache_syncope3.03.0.15+1

🔴Vulnerability Details

3
OSV
Apache Syncope: Console XXE on Keymaster parameters2026-02-03
GHSA
Apache Syncope: Console XXE on Keymaster parameters2026-02-03
CVEList
Apache Syncope: Console XXE on Keymaster parameters2026-02-03

🕵️Threat Intelligence

1
Wiz
CVE-2026-23795 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23795 — XML External Entity (XXE) Injection | cvebase