logo

Database

Server side cross-site scripting In org.keycloak:keycloak-services

Description

Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the organization.alias is placed into an inline JavaScript onclick handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-379802. NVD-2026-379803. OSV-2026-379804. GCVE-2026-379805. ACCESS-CVE-2026-37980

References

1. https://github.com/keycloak/keycloak/issues/480492. https://bugzilla.redhat.com/show_bug.cgi?id=2455325

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.