CVE-2026-33525

Name of the Vulnerable Software and Affected Versions Authelia versions 4.39.15 Description Authelia is an open-source authentication and authorization server. An attacker may potentially be able to inject javascript into the Authelia login page if specific conditions are met, including modifications to the script-src and connect-src Content Security Policy directives. This is due to a lack of neutralization of the langauge cookie value when rendering the HTML template. The vulnerability is likely difficult to discover and exploit, requiring a secondary application with a vulnerability that allows execution of malicious javascript. The attacker would need to delete the existing language cookie and write a new one. Recommendations Upgrade to version 4.39.16. Downgrade to version 4.39.14.