A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with "manage-realm" or "manage-organizations" administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the "organization.alias" is placed into an inline JavaScript "onclick" handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.