CVE-2026-33506

Name of the Vulnerable Software and Affected Versions Ory Polis versions prior to 26.2.0

Description Ory Polis, previously known as BoxyHQ Jackson, functions as a bridge or proxy for a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 are susceptible to a DOM-based Cross-Site Scripting (XSS) issue within the login functionality. The application inappropriately trusts a URL parameter, callbackUrl, which is then passed to the router.push function. An attacker can create a malicious link that, when opened by an authenticated user (or an unauthenticated user who subsequently logs in), can trigger a client-side redirection and execute arbitrary JavaScript code within the user's browser. This could potentially lead to credential theft and unauthorized actions performed on behalf of the victim.

Recommendations Versions prior to 26.2.0 should be updated to version 26.2.0 or later.