Home > Vulnerability Database > CVE-2026-23795

Mend.io Vulnerability Database

CVE-2026-23795

Good to know:

Date: February 3, 2026

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Severity Score

4.9

Related Resources (6)

Url: https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos

Url: https://lists.apache.org/thread/sf1z0ty674cjz86njqfc73t4vvf62b02

Url: https://github.com/apache/syncope

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23795

Url: http://www.openwall.com/lists/oss-security/2026/02/02/2

Url: https://www.mend.io/vulnerability-database/CVE-2026-23795

Severity Score

4.9

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

Top Fix

Upgrade Version

Upgrade to version org.apache.syncope.client.idrepo:syncope-client-idrepo-console:3.0.16;org.apache.syncope.client.idrepo:syncope-client-idrepo-console:4.0.4;https://github.com/apache/syncope.git - syncope-4.0.4;https://github.com/apache/syncope.git - syncope-3.0.16

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23795

Good to know:

Date: February 3, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?