CVE-2026-23795 – Apache Syncope: Console XXE on Keymaster parameters

CVE ID : CVE-2026-23795

Published : Feb. 3, 2026, 4:16 p.m. | 1 hour, 2 minutes ago

Description : Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.
An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

Severity: 4.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-24427 – Tenda AC7 Exposes Admin Credentials in Configuration Responses

CVE-2025-62600 – FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled

CVE-2026-24426 – Tenda AC7 Reflected XSS via Web Interface Output Encoding

CVE-2026-1802 – Ziroom ZHOME A0101 zrMacClone.lua macAddrClone command injection