Apache · Apache Syncope · CVE-2026-23794
**Name of the Vulnerable Software and Affected Versions**
Apache Syncope versions 3.0 through 3.0.15
Apache Syncope versions 4.0 through 4.0.3
**Description**
A reflected cross-site scripting (XSS) issue exists in the Enduser Login page of Apache Syncope. An attacker could potentially steal user credentials by tricking a legitimate user into clicking a malicious link and logging into Syncope Enduser. The attack involves manipulating the login process to execute malicious scripts within the context of a user's browser.
**Recommendations**
Upgrade to version 3.0.16
Upgrade to version 4.0.4