Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-10044

Good to know:

icon

Date: September 5, 2025

A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.

Severity Score

Related Resources (11)

https://nvd.nist.gov/vuln/detail/CVE-2025-10044
https://access.redhat.com/security/cve/CVE-2025-10044
https://access.redhat.com/errata/RHSA-2025:16400
https://access.redhat.com/errata/RHSA-2025:19923
https://github.com/keycloak/keycloak/pull/42035
https://access.redhat.com/errata/RHSA-2025:19925
https://bugzilla.redhat.com/show_bug.cgi?id=2393551
https://access.redhat.com/errata/RHSA-2025:16399
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/security/advisories/GHSA-27gc-wj6x-9w55
https://www.mend.io/vulnerability-database/CVE-2025-10044

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version org.keycloak:keycloak-account-ui:26.3.4;org.keycloak:keycloak-admin-ui:26.3.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us