Christopher IseneMy colleagues found a bug ..
CVE-2026-23794 in the IAM solution Apache Syncope makes it possible to inject XSS payloads on the login page of Syncope Enduser. An attacker could send such a link to a victim and steal their password in plain text when they attempt to log in.
https://securityblog.omegapoint.se/en/writeup-apache-syncope-cve-2026-23794/
Writeup: Reflected XSS in Apache Syncope on Enduser Login (CVE-2026-23794)
CVE-2026-23794 in the IAM solution Apache Syncope makes it possible to inject XSS payloads on the login page of Syncope Enduser. An attacker could send such a link to a victim and steal their password in plain text when they attempt to log in.