Every CVE whose affected-product data names Apache Syncope, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (18)
CVE-2020-1961 — CVSS 9.8 (critical): Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior…
CVE-2020-1959 — CVSS 9.8 (critical): A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL…
CVE-2025-65998 — CVSS 7.5 (high): Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the…
CVE-2018-17186 — CVSS 7.2 (high): An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read…
CVE-2026-42782 — CVSS 7.2 (high): Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations…
CVE-2018-1321 — CVSS 7.2 (high): An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases…
CVE-2025-57738 — CVSS 7.2 (high): Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations…
CVE-2020-11977 — CVSS 7.2 (high): In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can…
CVE-2026-23794 — CVSS 6.8 (medium): Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging…
CVE-2014-0111 — CVSS 6.5 (medium): Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to…
CVE-2024-45031 — CVSS 6.1 (medium): When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to…
CVE-2019-17557 — CVSS 5.4 (medium): It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a…
CVE-2024-38503 — CVSS 5.4 (medium): When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential…
CVE-2018-17184 — CVSS 5.4 (medium): A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector…
CVE-2014-3503 — CVSS 5.0 (medium): Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the…
CVE-2026-42797 — CVSS 4.9 (medium): Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for…
CVE-2018-1322 — CVSS 4.9 (medium): An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x…
CVE-2026-23795 — CVSS 4.9 (medium): Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements…