THE Apache Software Foundation has released crucial security updates for Apache Syncope, addressing two vulnerabilities that could hijack user sessions or leak sensitive server data. The most severe, CVE-2026-23794, is a Reflected Cross-Site Scripting flaw on the Enduser Login page and is rated Important; an attacker tricks a legitimate user into clicking a crafted link to execute arbitrary JavaScript in the browser.
If exploited, this could allow theft of session cookies, redirection to malicious sites, or actions taken on behalf of the victim at login. The second vulnerability, CVE-2026-23795, is an XML External Entity flaw in the Console component’s Keymaster parameters, rated Moderate, where an administrator with adequate entitlements could construct malicious XML to cause data leakage.
Users are urged to upgrade: for the 3.0.x branch to 3.0.16 and for the 4.0.x branch to 4.0.4, which patch both the syncope-client-idrepo-common-ui and syncope-client-idrepo-console components.