Severity: important Affected versions:
- Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui) 3.0 through 3.0.15 - Apache Syncope (org.apache.syncope.client.idrepo:syncope-client-idrepo-common-ui) 4.0 through 4.0.3 Description: Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. Credit: Kasper Karlsson (finder) Karin Taliga (finder) References: https://syncope.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-23794
