CVE-2026-23794
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-03

Last updated on: 2026-02-06

Assigner: Apache Software Foundation

Description
Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23794
EUVD
EUVD-2026-5265
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache syncope From 3.0.0 (inc) to 3.0.16 (exc)
apache syncope From 4.0.0 (inc) to 4.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-23794 is a reflected Cross-Site Scripting (XSS) vulnerability found in the Enduser Login page of Apache Syncope.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by tricking a legitimate user into clicking a malicious link and logging into the Syncope Enduser interface.'}, {'type': 'paragraph', 'content': "This can allow the attacker to steal the user's credentials."}, {'type': 'paragraph', 'content': 'The vulnerability affects Apache Syncope versions 3.0 through 3.0.15 and 4.0 through 4.0.3.'}, {'type': 'paragraph', 'content': 'Users are recommended to upgrade to versions 3.0.16 or 4.0.4 where the issue has been fixed.'}] [2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to steal your login credentials if you are tricked into clicking a malicious link and logging into the affected Apache Syncope Enduser interface.

Credential theft can lead to unauthorized access to your account and potentially further compromise of your data or systems.

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate this reflected XSS vulnerability in Apache Syncope's Enduser Login page, users are recommended to upgrade to the fixed versions."}, {'type': 'list_item', 'content': 'Upgrade Apache Syncope to version 3.0.16 if you are using any version from 3.0 through 3.0.15.'}, {'type': 'list_item', 'content': 'Upgrade Apache Syncope to version 4.0.4 if you are using any version from 4.0 through 4.0.3.'}] [2]

Compliance Impact

[{'type': 'paragraph', 'content': "The vulnerability is a reflected Cross-Site Scripting (XSS) issue in Apache Syncope's Enduser Login page that can allow an attacker to steal user credentials by tricking users into clicking malicious links."}, {'type': 'paragraph', 'content': 'While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to steal user credentials could potentially lead to unauthorized access to personal or sensitive data, which may impact compliance with data protection regulations.'}, {'type': 'paragraph', 'content': 'Organizations using affected versions of Apache Syncope should consider this vulnerability a risk to the confidentiality of user data and take appropriate remediation steps, such as upgrading to fixed versions, to maintain compliance with relevant security and privacy standards.'}] [2]

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart