Reflected XSS Vulnerability in Apache Syncope's Enduser Login Page
CVE-2026-23794

6.8MEDIUM

Key Information:

Vendor: Apache
Status: Apache Syncope
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-23794?

A reflected cross-site scripting vulnerability exists in the Enduser Login page of Apache Syncope. This vulnerability allows attackers to deceive legitimate users into clicking on malicious links. Once a user is tricked into logging in through the compromised link, their credentials can be stolen, leading to potential unauthorized access. It is highly recommended for users to upgrade to Apache Syncope version 3.0.16 or 4.0.4 to mitigate this security risk.

Affected Version(s)

Apache Syncope 3.0 <= 3.0.15

Apache Syncope 4.0 <= 4.0.3

References

https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxof...

vendor-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 16, 2026

Credit

Kasper Karlsson

Karin Taliga

CVE-2026-23794 Data

JSON