Stored Cross-Site Scripting Vulnerability in Keycloak Login Page
CVE-2026-37980

6.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-37980?

A flaw in Keycloak's organization selection login page allows remote attackers with manage-realm or manage-organizations privileges to exploit a stored Cross-Site Scripting (XSS) vulnerability. This occurs due to the inclusion of organization.alias in an inline JavaScript onclick handler. By crafting a malicious JavaScript payload, an attacker can execute code in the browser of users who visit the login page, resulting in potential session theft, unauthorized actions on accounts, or subsequent attacks against users within the affected realm.

References

https://access.redhat.com/security/cve/CVE-2026-37980

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2455325

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-37980 Data

JSON

Red Hat

What is CVE-2026-37980?

References

CVSS V3.1

Timeline