EXECUTIVE SUMMARY:
Apache Syncope, an open-source digital identity management platform, had two serious vulnerabilities disclosed that could let attackers hijack user sessions or expose sensitive server data.
CVE-2026-23794: A reflected cross-site scripting flaw exists in the Enduser Login page of Apache Syncope where crafted URLs can cause arbitrary JavaScript to run in a victim’s browser, potentially enabling session hijacking, credential theft, or unwanted actions if a user is tricked into clicking a malicious link. This issue affects Apache Syncope versions 3.0 through 3.0.15 and 4.0 through 4.0.3 and is rated with an Important severity level.
CVE-2026-23795: An XML External Entity (XXE) vulnerability in the Syncope Console’s Keymaster parameter handling allows an attacker with appropriate administrative entitlements to craft malicious XML that could trigger external entity resolution, potentially leading to leakage of internal files or sensitive data on the server. This affects Syncope versions 3.0 through 3.0.15 and 4.0 through 4.0.3 and carries a Moderate to Important severity.
RECOMMENDATION:
We strongly recommend you update Apache Syncope to version 3.0.16 (for the 3.0.x branch) or version 4.0.4 (for the 4.0.x branch).
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/identity-at-risk-apache-syncope-patches-critical-login-xss-xxe-flaws/