VIR Vulnerability Intelligence Relay

CVE-2026-37980

medium
Published 2026-04-14 ยท Modified 2026-06-02
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
4.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
4.8

Description

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

Predictions

Exploit likelihood
58%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata โ€” Red Hat Inc. ยท View original โ†— ยท Open-Errata-API

Description org.keycloak.forms.login: keycloak: Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page Red Hat statement This vulnerability has Moderate impact. A Stored Cross-Site Scripting (XSS) flaw in the organization selection login page of Red Hat Build of Keycloak (RHBK) allows an attacker with `manage-realm` or `manage-organizations`โ€ฆ

Description

org.keycloak.forms.login: keycloak: Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page

Red Hat statement

This vulnerability has Moderate impact. A Stored Cross-Site Scripting (XSS) flaw in the organization selection login page of Red Hat Build of Keycloak (RHBK) allows an attacker with `manage-realm` or `manage-organizations` privileges to inject a crafted JavaScript payload. This payload executes in the context of a user's browser when the login page is viewed, potentially leading to session theft or further attacks.

CVSS v3: 6.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N)

Package state

ProductPackageState
Red Hat Build of Keycloakrhbk/keycloak-rhel9Affected

Affected

VendorProductVersion
redhatRed Hat Build of KeycloakAffected

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.keycloak:keycloak-services<=26.5.5

Application impact
VendorProductVersionsFixed
redhat redhatbuild_of_keycloak-

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.