CVE-2026-23795

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23795

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23795.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-23795

Aliases

GHSA-73f3-rqqf-2j54

Published

2026-02-03T16:16:13.390Z

Modified

2026-02-11T13:45:27.998109Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

References

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type: GIT
Repo: https://github.com/apache/syncope
Events: Introduced

b0c019c1256bf433bf60e3211ee8711dae03e6bc

Fixed

3ef68575869155c7be008381eb1d22315af9cf2f

Introduced

d4a8b1eb53b246c42acb757739637be02838a082

Fixed

2b741bd0d6b4f49779a0c01cad597c6a15f93351

Affected versions

syncope-3.*

syncope-3.0.0

syncope-3.0.1

syncope-3.0.10

syncope-3.0.11

syncope-3.0.12

syncope-3.0.13

syncope-3.0.14

syncope-3.0.15

syncope-3.0.2

syncope-3.0.3

syncope-3.0.4

syncope-3.0.5

syncope-3.0.6

syncope-3.0.7

syncope-3.0.8

syncope-3.0.9

syncope-4.*

syncope-4.0.0

syncope-4.0.1

syncope-4.0.2

syncope-4.0.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23795.json"