CVE-2026-23794
BaseFortify
Publication date: 2026-02-03
Last updated on: 2026-02-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | syncope | From 3.0.0 (inc) to 3.0.16 (exc) |
| apache | syncope | From 4.0.0 (inc) to 4.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-23794 is a reflected Cross-Site Scripting (XSS) vulnerability found in the Enduser Login page of Apache Syncope.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by tricking a legitimate user into clicking a malicious link and logging into the Syncope Enduser interface.'}, {'type': 'paragraph', 'content': "This can allow the attacker to steal the user's credentials."}, {'type': 'paragraph', 'content': 'The vulnerability affects Apache Syncope versions 3.0 through 3.0.15 and 4.0 through 4.0.3.'}, {'type': 'paragraph', 'content': 'Users are recommended to upgrade to versions 3.0.16 or 4.0.4 where the issue has been fixed.'}] [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to steal your login credentials if you are tricked into clicking a malicious link and logging into the affected Apache Syncope Enduser interface.
Credential theft can lead to unauthorized access to your account and potentially further compromise of your data or systems.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "To mitigate this reflected XSS vulnerability in Apache Syncope's Enduser Login page, users are recommended to upgrade to the fixed versions."}, {'type': 'list_item', 'content': 'Upgrade Apache Syncope to version 3.0.16 if you are using any version from 3.0 through 3.0.15.'}, {'type': 'list_item', 'content': 'Upgrade Apache Syncope to version 4.0.4 if you are using any version from 4.0 through 4.0.3.'}] [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
[{'type': 'paragraph', 'content': "The vulnerability is a reflected Cross-Site Scripting (XSS) issue in Apache Syncope's Enduser Login page that can allow an attacker to steal user credentials by tricking users into clicking malicious links."}, {'type': 'paragraph', 'content': 'While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to steal user credentials could potentially lead to unauthorized access to personal or sensitive data, which may impact compliance with data protection regulations.'}, {'type': 'paragraph', 'content': 'Organizations using affected versions of Apache Syncope should consider this vulnerability a risk to the confidentiality of user data and take appropriate remediation steps, such as upgrading to fixed versions, to maintain compliance with relevant security and privacy standards.'}] [2]