HIGH🇵🇱 Wersja polska

CVE-2026-33506

CVSS 8.8v3.1pub. 2026-03-26upd. 2026-04-17

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
  • Ory Polis

    APP
    Ory
    < 26.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-33494CRITICAL10.0PL ✓ten sam vendor

Ory Oathkeeper: pominięcie autoryzacji przez path traversal w URL

CVE-2026-33503HIGH7.2ten sam vendor

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2...

CVE-2026-33504HIGH7.2ten sam vendor

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, ...

CVE-2026-33496HIGH8.1ten sam vendor

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP reques...

CVE-2026-33505HIGH7.2ten sam vendor

Ory Keto is am open source authorization server for managing permissions at scale. Prior to version 26.2.0, th...