PT-2026-43078 · Apache · Apache Syncope
Trung Nguyen
·
Published
2026-05-25
·
Updated
2026-05-27
·
CVE-2026-42782
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Syncope versions 3.0 through 3.0.16
Apache Syncope versions 4.0 through 4.0.5
Apache Syncope version 4.1.0
Description
Improper Isolation or Compartmentalization allows an administrator with sufficient entitlements for Implementations to create a malicious Groovy class. This class can contain untrusted code that reaches a non-sandboxed execution path through the class static initializer, potentially leading to remote code execution.
Recommendations
For versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0, upgrade to version 4.0.6 or 4.1.1.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Syncope