PT-2026-43078 · Apache · Apache Syncope

Trung Nguyen

·

Published

2026-05-25

·

Updated

2026-05-27

·

CVE-2026-42782

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.16 Apache Syncope versions 4.0 through 4.0.5 Apache Syncope version 4.1.0
Description Improper Isolation or Compartmentalization allows an administrator with sufficient entitlements for Implementations to create a malicious Groovy class. This class can contain untrusted code that reaches a non-sandboxed execution path through the class static initializer, potentially leading to remote code execution.
Recommendations For versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0, upgrade to version 4.0.6 or 4.1.1.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42782
GHSA-GQ7G-VG2Q-JVQ3

Affected Products

Apache Syncope