Reflected XSS Vulnerability in Apache Syncope's Enduser Login Page
CVE-2026-23794

6.8MEDIUM

Key Information:

Vendor: Apache
Status: Apache Syncope
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-23794?

A reflected cross-site scripting vulnerability exists in the Enduser Login page of Apache Syncope. This vulnerability allows attackers to deceive legitimate users into clicking on malicious links. Once a user is tricked into logging in through the compromised link, their credentials can be stolen, leading to potential unauthorized access. It is highly recommended for users to upgrade to Apache Syncope version 3.0.16 or 4.0.4 to mitigate this security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Syncope 3.0 <= 3.0.15

Apache Syncope 4.0 <= 4.0.3

References

https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxof...

vendor-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 16, 2026

Credit

Kasper Karlsson

Karin Taliga

JSON

Apache