PT-2026-6184 · Apache · Apache Syncope

Follycat

Published

2026-02-03

Updated

2026-02-08

CVE-2026-23795

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3

Description An issue exists in Apache Syncope Console where an administrator with sufficient privileges to create or edit Keymaster parameters can construct malicious XML text to launch an XML External Entity (XXE) attack. This can lead to sensitive data leakage.

Recommendations Upgrade to Apache Syncope version 3.0.16 Upgrade to Apache Syncope version 4.0.4

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2026-23795

GHSA-73F3-RQQF-2J54

Affected Products

Apache Syncope

PT-2026-6184 · Apache · Apache Syncope

CVE-2026-23795

Weakness Enumeration

Related Identifiers

Affected Products

References · 17