FKIE_CVE-2026-33506

Vulnerability from fkie_nvd - Published: 2026-03-26 19:17 - Updated: 2026-03-30 13:26
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Summary
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/ory/polis/releases/tag/v26.2.0
security-advisories@github.comhttps://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis\u0027s login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "Ory Polis, anteriormente conocido como BoxyHQ Jackson, act\u00faa como puente o proxy para un flujo de inicio de sesi\u00f3n SAML a OAuth 2.0 o OpenID Connect. Las versiones anteriores a la 26.2.0 contienen una vulnerabilidad de cross-site scripting (XSS) basada en DOM en la funcionalidad de inicio de sesi\u00f3n de Ory Polis. La aplicaci\u00f3n conf\u00eda indebidamente en un par\u00e1metro de URL (\u0027callbackUrl\u0027), el cual se pasa a `router.push`. Un atacante puede crear un enlace malicioso que, al ser abierto por un usuario autenticado (o un usuario no autenticado que luego inicia sesi\u00f3n), realiza una redirecci\u00f3n del lado del cliente y ejecuta JavaScript arbitrario en el contexto de su navegador. Esto podr\u00eda conducir a robo de credenciales, pivoteo de red interno y acciones no autorizadas realizadas en nombre de la v\u00edctima. La versi\u00f3n 26.2.0 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-33506",
  "lastModified": "2026-03-30T13:26:50.827",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T19:17:05.680",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ory/polis/releases/tag/v26.2.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-87"
        },
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.