CVE-2026-23794

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3

Description A reflected cross-site scripting (XSS) issue exists in the Enduser Login page of Apache Syncope. An attacker could potentially steal user credentials by tricking a legitimate user into clicking a malicious link and logging into Syncope Enduser. The attack involves manipulating the login process to execute malicious scripts within the context of a user's browser.

Recommendations Upgrade to version 3.0.16 Upgrade to version 4.0.4