Apache Syncope Patches XSS and XXE Flaws Enabling Session Hijacking and Data Leakage
The Apache Software Foundation released security updates for Apache Syncope to address vulnerabilities that could enable session hijacking and sensitive data exposure in identity-management deployments. One issue, CVE-2026-23794, is a reflected XSS flaw in the Enduser Login page where an attacker can trick a user into clicking a crafted link, leading to arbitrary JavaScript execution in the victim’s browser and potential theft of session cookies or actions performed as the user.
A second issue, CVE-2026-23795, is an XML External Entity (XXE) vulnerability in the Syncope Console related to creating/editing Keymaster parameters; it requires an attacker to have (or obtain) administrator-level entitlements, but can then be used to submit malicious XML to trigger data leakage and potentially facilitate session compromise. Reported affected versions include 3.0–3.0.15 and 4.0–4.0.3, with fixes available in 3.0.16 and 4.0.4; organizations running impacted releases are advised to upgrade promptly, particularly given Syncope’s role in authentication and access control.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public disclosure details CVE-2026-23795 impact and affected Syncope versions
Public reporting disclosed technical details for CVE-2026-23795, an XXE issue in the Apache Syncope identity management console that can be exploited by an administrator or compromised admin account to expose sensitive data. Reports identified affected versions as 3.0 through 3.0.15 and 4.0 through 4.0.3, noted a CVSS 6.5 rating, and recommended restricting console access and monitoring XML parsing activity until upgrades are applied.
Apache fixes Syncope XSS and XXE vulnerabilities in new releases
The Apache Software Foundation released security updates for Apache Syncope to remediate two flaws: reflected XSS CVE-2026-23794 in the Enduser Login page and XXE CVE-2026-23795 in the Console Keymaster parameters. Apache advised users to upgrade Syncope 3.0.x to 3.0.16 and 4.0.x to 4.0.4, affecting the syncope-client-idrepo-common-ui and syncope-client-idrepo-console components.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026
Apache Answer 2.0.1 Fixes XSS, Authorization Bypass, Token, DoS, and Email Injection Flaws
Apache disclosed five vulnerabilities in **Apache Answer** affecting versions through `2.0.0`, including a **critical** cross-site scripting issue tracked as `CVE-2026-25688`. The XSS flaw stems from insufficient sanitization of AI-generated answer content, allowing malicious script execution when users view affected pages. Apache also fixed `CVE-2026-25699`, an authorization bypass in timeline-related APIs that let authenticated users access deleted, private, or unapproved content and related revision history, potentially exposing personal information, and `CVE-2026-25700`, which left previously issued administrative tokens valid after an administrator account was suspended, deleted, or deactivated. The same release also addressed `CVE-2026-33582`, a denial-of-service bug in which a specially crafted TIFF upload could trigger excessive memory allocation and crash the server process, and `CVE-2026-34033`, which allowed authenticated users to inject arbitrary HTML into notification emails because script-related tags were not properly neutralized. Apache said all five issues are remediated in **Apache Answer `2.0.1`** and advised users to upgrade, with reports credited to Sho Odagiri, Reimar Fritz, and Andy Gill of ZephrSec Ltd.
Jun 12, 2026
Apache APISIX fixes header injection and plaintext log export flaws
Apache disclosed two moderate-severity vulnerabilities in **APISIX** affecting multiple 2.x and 3.x releases, and urged users to upgrade to **version 3.16.0**. **CVE-2026-31908** affects the `forward-auth` plugin in certain configurations and allows an attacker to inject malicious headers in APISIX versions **2.12.0 through 3.15.0**. Apache also disclosed **CVE-2026-31924**, a cleartext transmission flaw in the `tencent-cloud-cls` log export plugin that sends sensitive information over plaintext HTTP in versions **2.99.0 through 3.15.0**. The issues were reported by **SeungMyung Lee** and **Oleh Konko**, respectively, and were announced on the **oss-sec** mailing list by **Abhishek Choudhary**.
May 24, 2026