CVE-2026-37980

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A Stored Cross-Site Scripting (XSS) issue exists in the organization selection login page. A remote attacker possessing manage-realm or manage-organizations administrative privileges can execute arbitrary JavaScript in a user's browser. This occurs because the organization.alias variable is placed into an inline JavaScript onclick handler without proper sanitization. Successful exploitation may lead to session theft or unauthorized account actions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.