CVE-2026-23794 PUBLISHED

Apache Syncope: Reflected XSS on Enduser Login

Assigner: apache
Reserved: 16.01.2026 Published: 03.02.2026 Updated: 03.02.2026

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Syncope
Versions	Default: unaffected affected from 3.0 to 3.0.15 (incl.) affected from 4.0 to 4.0.3 (incl.)

Credits

Kasper Karlsson finder
Karin Taliga finder

References

https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE