CVE-2025-10044

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak where the account console and other pages accept arbitrary text in the error description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents cross-site scripting (XSS), an attacker can craft URLs with misleading messages, such as fake support phone numbers or URLs, which are displayed within the trusted Keycloak user interface. This creates a phishing vector, potentially tricking users into contacting malicious actors.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.