| 0 |
| url |
VCID-14c3-xa9j-mbab |
| vulnerability_id |
VCID-14c3-xa9j-mbab |
| summary |
Incorrect implementation of lockout feature in Keycloak
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42201 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42238 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42214 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42189 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42225 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42174 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42156 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42216 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42207 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.4213 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-3513, GHSA-xv7h-95r7-595j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-14c3-xa9j-mbab |
|
| 1 |
| url |
VCID-28sw-q8sc-5ugs |
| vulnerability_id |
VCID-28sw-q8sc-5ugs |
| summary |
Loop with Unreachable Exit Condition ('Infinite Loop')
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10912 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64755 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64718 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.6474 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64691 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64719 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64677 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64725 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64639 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64745 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.64757 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10912 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2018-10912 |
| reference_id |
CVE-2018-10912 |
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:L/Au:S/C:N/I:N/A:P |
|
| 1 |
| value |
4.4 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
4.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2018-10912 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 4 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 5 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 6 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 7 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 8 |
| vulnerability |
VCID-78nt-79j3-k3fh |
|
| 9 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 10 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 11 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 12 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 13 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 14 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 15 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 16 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 17 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 18 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 19 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 20 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 21 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 22 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 23 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 24 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 25 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 26 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 27 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 28 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 29 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 30 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 31 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 32 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 33 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 34 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 35 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 36 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 37 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 38 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 39 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 40 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 41 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 42 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 43 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 44 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 45 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 46 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
|
|
| aliases |
CVE-2018-10912, GHSA-h7j7-pw3v-3v3x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-28sw-q8sc-5ugs |
|
| 2 |
| url |
VCID-2g8t-qjp5-ebc7 |
| vulnerability_id |
VCID-2g8t-qjp5-ebc7 |
| summary |
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8629 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43916 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43832 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43882 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43885 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43903 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43871 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43854 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43834 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43878 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43901 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8629 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2pnb-13et-y3hr |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 6 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 7 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 8 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 9 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 10 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 11 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 12 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 13 |
| vulnerability |
VCID-85y2-ejk7-qud9 |
|
| 14 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 15 |
| vulnerability |
VCID-aps8-cw7n-57g3 |
|
| 16 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 17 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 18 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 19 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 20 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 21 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 22 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 23 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 24 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 25 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 26 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 27 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 28 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 29 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 30 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 31 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 32 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 33 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 34 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 35 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 36 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 37 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 38 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 39 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 40 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 41 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 42 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 43 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 44 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 45 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 46 |
| vulnerability |
VCID-vnp3-9ddj-qfa2 |
|
| 47 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 48 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 49 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 50 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 51 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 52 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
|
|
| aliases |
CVE-2016-8629, GHSA-778x-2mqv-w6xw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2g8t-qjp5-ebc7 |
|
| 3 |
| url |
VCID-2pnb-13et-y3hr |
| vulnerability_id |
VCID-2pnb-13et-y3hr |
| summary |
Information Exposure
It was found that while parsing the SAML messages the `StaxParserUtil` class of keycloak replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request `ID` field to be the chosen system property which could be obtained in the `InResponseTo` field in the response. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2582 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70303 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70251 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70265 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70289 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70274 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70262 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70199 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70211 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70227 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70205 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2582 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 4 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 5 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 6 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 7 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 8 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 9 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 10 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 11 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 12 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 13 |
| vulnerability |
VCID-aps8-cw7n-57g3 |
|
| 14 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 15 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 16 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 17 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 18 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 19 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 20 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 21 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 22 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 23 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 24 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 25 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 26 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 27 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 28 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 29 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 30 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 31 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 32 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 33 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 34 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 35 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 36 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 37 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 38 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 39 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 40 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 41 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 42 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 43 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 44 |
| vulnerability |
VCID-vnp3-9ddj-qfa2 |
|
| 45 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 46 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 47 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 48 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 49 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 50 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
|
| 1 |
|
|
| aliases |
CVE-2017-2582, GHSA-c77r-6f64-478q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2pnb-13et-y3hr |
|
| 4 |
| url |
VCID-2xyb-g3n4-n3ca |
| vulnerability_id |
VCID-2xyb-g3n4-n3ca |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.74741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.7475 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.74771 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75036 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75012 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75046 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75004 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75007 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00978 |
| scoring_system |
epss |
| scoring_elements |
0.76766 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-1274, GHSA-m4fv-gm5m-4725, GMS-2023-528
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xyb-g3n4-n3ca |
|
| 5 |
| url |
VCID-3248-31p8-tyd4 |
| vulnerability_id |
VCID-3248-31p8-tyd4 |
| summary |
Incorrect Authorization
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3011 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30188 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30272 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3009 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30186 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30145 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30193 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30095 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30223 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-1725, GHSA-p225-pc2x-4jpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3248-31p8-tyd4 |
|
| 6 |
| url |
VCID-3ncm-zz6v-2ua2 |
| vulnerability_id |
VCID-3ncm-zz6v-2ua2 |
| summary |
keycloak vulnerable to unauthorized login via mail server setup
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-14837 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77103 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77001 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77007 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77036 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77017 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77049 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77059 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77087 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77067 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.01008 |
| scoring_system |
epss |
| scoring_elements |
0.77062 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-14837 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 5 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 25 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 26 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 27 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 28 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 29 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 30 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 31 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 32 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 33 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 34 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 35 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 36 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-14837, GHSA-cf8f-w2c5-p5jr
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ncm-zz6v-2ua2 |
|
| 7 |
| url |
VCID-3ued-3fnw-a7h7 |
| vulnerability_id |
VCID-3ued-3fnw-a7h7 |
| summary |
Improper Certificate Validation
The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (`http` or `ldap`) and hence the caller should verify the signature and possibly the certification path. Keycloak currently does not validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3875 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14521 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14613 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14703 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14762 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14723 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.1463 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14684 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14735 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.14809 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3875 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 4 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 21 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 22 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 23 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 24 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 25 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 26 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 27 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 28 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 29 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 30 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 31 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 32 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 33 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 34 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 35 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 36 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 37 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 38 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 39 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 40 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-3875, GHSA-38cg-gg9j-q9j9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ued-3fnw-a7h7 |
|
| 8 |
| url |
VCID-49qw-j7rn-qfdf |
| vulnerability_id |
VCID-49qw-j7rn-qfdf |
| summary |
Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references.
# Original Description
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.
A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
GHSA-57rh-gr4v-j5f6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-49qw-j7rn-qfdf |
|
| 9 |
| url |
VCID-5apu-r7pn-byet |
| vulnerability_id |
VCID-5apu-r7pn-byet |
| summary |
keycloak Self Stored Cross-site Scripting vulnerability
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20195 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53767 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53729 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53746 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53664 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53696 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53717 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53648 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53763 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53715 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.53669 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20195 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 6 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 7 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 8 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 11 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 12 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 13 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 14 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 15 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 16 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 17 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 18 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 19 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 20 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 21 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 22 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 23 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 24 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.3 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20195, GHSA-q6w2-89hq-hq27
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5apu-r7pn-byet |
|
| 10 |
| url |
VCID-6s4w-hv7a-ffaw |
| vulnerability_id |
VCID-6s4w-hv7a-ffaw |
| summary |
Keycloak vulnerable to Server-Side Request Forgery
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10770 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99719 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99718 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.9972 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99717 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10770 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 10 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 11 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 12 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 13 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 14 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 15 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 16 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 17 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 18 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 19 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 20 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 21 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 22 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 23 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 24 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 25 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.2 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-10770, GHSA-jh7q-5mwf-qvhw
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6s4w-hv7a-ffaw |
|
| 11 |
| url |
VCID-6wdp-9pvw-ybgp |
| vulnerability_id |
VCID-6wdp-9pvw-ybgp |
| summary |
Improper Authentication
It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8609 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35449 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35442 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35466 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35476 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35433 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35409 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35288 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35488 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35512 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35396 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8609 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2g8t-qjp5-ebc7 |
|
| 3 |
| vulnerability |
VCID-2pnb-13et-y3hr |
|
| 4 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 5 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 6 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 7 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 8 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 9 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 10 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 11 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 12 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 13 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 14 |
| vulnerability |
VCID-85y2-ejk7-qud9 |
|
| 15 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 16 |
| vulnerability |
VCID-aps8-cw7n-57g3 |
|
| 17 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 18 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 19 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 20 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 21 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 22 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 23 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 24 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 25 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 26 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 27 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 28 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 29 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 30 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 31 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 32 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 33 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 34 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 35 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 36 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 37 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 38 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 39 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 40 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 41 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 42 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 43 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 44 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 45 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 46 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 47 |
| vulnerability |
VCID-vnp3-9ddj-qfa2 |
|
| 48 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 49 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 50 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 51 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 52 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 53 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
|
|
| aliases |
CVE-2016-8609, GHSA-95m6-mjh3-58gm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6wdp-9pvw-ybgp |
|
| 12 |
| url |
VCID-7j7q-m1zp-zfac |
| vulnerability_id |
VCID-7j7q-m1zp-zfac |
| summary |
Keycloak has lack of validation of access token on client registrations endpoint
When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.
If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-0091 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T14:08:50Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-0091 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0091 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28325 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28469 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28511 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28302 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28367 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28411 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28414 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28371 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28313 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0091 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-0091, GHSA-v436-q368-hvgg, GMS-2023-37
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7j7q-m1zp-zfac |
|
| 13 |
| url |
VCID-7mm5-8378-rua3 |
| vulnerability_id |
VCID-7mm5-8378-rua3 |
| summary |
Weak Password Recovery Mechanism for Forgotten Password
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12161 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51321 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51276 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51273 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51317 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51295 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51281 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51184 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51237 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51262 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.5122 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12161 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 4 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 5 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 6 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 7 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 8 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 9 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 10 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 11 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 12 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 13 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 14 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 15 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 16 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 17 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 18 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 19 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 20 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 21 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 22 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 23 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 24 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 25 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 26 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 27 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 28 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 29 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 30 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 31 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 32 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 33 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 34 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 35 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 36 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 37 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 38 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 39 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 40 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 41 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 42 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 43 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 44 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 45 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 46 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 47 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
|
|
| aliases |
CVE-2017-12161, GHSA-959q-32g8-vvp7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7mm5-8378-rua3 |
|
| 14 |
| url |
VCID-7xuf-btg3-ckf6 |
| vulnerability_id |
VCID-7xuf-btg3-ckf6 |
| summary |
Keycloak Denial of Service vulnerability
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6841 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69836 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69796 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69788 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69887 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69845 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69859 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69874 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69851 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00613 |
| scoring_system |
epss |
| scoring_elements |
0.69811 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6841 |
|
| 3 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
|
| 4 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6841, GHSA-w97f-w3hq-36g2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7xuf-btg3-ckf6 |
|
| 15 |
| url |
VCID-85y2-ejk7-qud9 |
| vulnerability_id |
VCID-85y2-ejk7-qud9 |
| summary |
Information Exposure
Keycloak has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2585 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71398 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71308 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71316 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71334 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71309 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71349 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71362 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71385 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.7137 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71352 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2585 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 4 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 5 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 6 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 7 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 8 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 9 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 10 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 11 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 12 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 13 |
| vulnerability |
VCID-aps8-cw7n-57g3 |
|
| 14 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 15 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 16 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 17 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 18 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 19 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 20 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 21 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 22 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 23 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 24 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 25 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 26 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 27 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 28 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 29 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 30 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 31 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 32 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 33 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 34 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 35 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 36 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 37 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 38 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 39 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 40 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 41 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 42 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 43 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 44 |
| vulnerability |
VCID-vnp3-9ddj-qfa2 |
|
| 45 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 46 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 47 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 48 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 49 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 50 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
|
| 1 |
|
|
| aliases |
CVE-2017-2585, GHSA-w6gv-3r3v-gwgj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-85y2-ejk7-qud9 |
|
| 16 |
| url |
VCID-8rnf-e3sa-g7a8 |
| vulnerability_id |
VCID-8rnf-e3sa-g7a8 |
| summary |
Moderate severity vulnerability that affects org.keycloak:keycloak-core
Withdrawn: Duplicate of CVE-2017-12161 / GHSA-959q-32g8-vvp7 |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.0.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.0.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2g8t-qjp5-ebc7 |
|
| 3 |
| vulnerability |
VCID-2pnb-13et-y3hr |
|
| 4 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 5 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 6 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 7 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 8 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 9 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 10 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 11 |
| vulnerability |
VCID-6wdp-9pvw-ybgp |
|
| 12 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 13 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 14 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 15 |
| vulnerability |
VCID-85y2-ejk7-qud9 |
|
| 16 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 17 |
| vulnerability |
VCID-aps8-cw7n-57g3 |
|
| 18 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 19 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 20 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 21 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 22 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 23 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 24 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 25 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 26 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 27 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 28 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 29 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 30 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 31 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 32 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 33 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 34 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 35 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 36 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 37 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 38 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 39 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 40 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 41 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 42 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 43 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 44 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 45 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 46 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 47 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 48 |
| vulnerability |
VCID-vnp3-9ddj-qfa2 |
|
| 49 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 50 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 51 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 52 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 53 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 54 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.0.0.Final |
|
|
| aliases |
CVE-2017-1000500, GHSA-qgm9-232x-hwpx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8rnf-e3sa-g7a8 |
|
| 17 |
| url |
VCID-96mj-gt5k-23ck |
| vulnerability_id |
VCID-96mj-gt5k-23ck |
| summary |
Improper Input Validation and Cross-Site Request Forgery in Keycloak
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10199 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26359 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26549 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26331 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26398 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26449 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26456 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.2641 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26352 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26454 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26505 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10199 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 4 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 21 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 22 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 23 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 24 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 25 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 26 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 27 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 28 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 29 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 30 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 31 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 32 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 33 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 34 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 35 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 36 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 37 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 38 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 39 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 40 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-10199, GHSA-p5xp-6vpf-jwvh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-96mj-gt5k-23ck |
|
| 18 |
| url |
VCID-aps8-cw7n-57g3 |
| vulnerability_id |
VCID-aps8-cw7n-57g3 |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
When Keycloak receives a Logout request in the middle of the request, the `SAMLSloRequestParser.parse()` method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2646 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66123 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66083 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.6605 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66098 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66111 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.6613 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66117 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66088 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66013 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66055 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2646 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 4 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 5 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 6 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 7 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 8 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 9 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 10 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 11 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 12 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 13 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 14 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 15 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 16 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 17 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 18 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 19 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 20 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 21 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 22 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 23 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 24 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 25 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 26 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 27 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 28 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 29 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 30 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 31 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 32 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 35 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 36 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 37 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 38 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 39 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 40 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 41 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 42 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 43 |
| vulnerability |
VCID-vnp3-9ddj-qfa2 |
|
| 44 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 45 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 46 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 47 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 48 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 49 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
|
|
| aliases |
CVE-2017-2646, GHSA-jc6q-27mw-p55w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aps8-cw7n-57g3 |
|
| 19 |
| url |
VCID-c8ps-95au-zbg5 |
| vulnerability_id |
VCID-c8ps-95au-zbg5 |
| summary |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown
### Summary
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
### Impact
Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.
### References
- Please refer to the Keycloak Security mailing list for more information. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-755v-r4x4-qf7m, GMS-2022-7509
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c8ps-95au-zbg5 |
|
| 20 |
| url |
VCID-cp2f-bjsx-nkfm |
| vulnerability_id |
VCID-cp2f-bjsx-nkfm |
| summary |
Predictable password in Keycloak
A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1731 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.60019 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59978 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59992 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.60013 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59998 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59979 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59856 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59933 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59959 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.59928 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1731 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 5 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 10 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 11 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 12 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 13 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 14 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 15 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 16 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 17 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 18 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 19 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 20 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 21 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 22 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 23 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 27 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 28 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 29 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 30 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 31 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 32 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 33 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 34 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 35 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.2 |
|
|
| aliases |
CVE-2020-1731, GHSA-6pmv-7pr9-cgrj
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cp2f-bjsx-nkfm |
|
| 21 |
| url |
VCID-djwn-hkwg-g3gk |
| vulnerability_id |
VCID-djwn-hkwg-g3gk |
| summary |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36059 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36287 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36123 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36172 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3619 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36196 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36159 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36133 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36175 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-14302
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-djwn-hkwg-g3gk |
|
| 22 |
| url |
VCID-dxj3-8sk5-mfdy |
| vulnerability_id |
VCID-dxj3-8sk5-mfdy |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45481 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45418 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45438 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45382 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45437 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45458 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45428 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dxj3-8sk5-mfdy |
|
| 23 |
| url |
VCID-e85z-cn66-fye8 |
| vulnerability_id |
VCID-e85z-cn66-fye8 |
| summary |
Keycloak Open Redirect vulnerability
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.
Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7260 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58667 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58607 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58628 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58598 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58649 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58656 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58673 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58654 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58634 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7260 |
|
| 5 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
|
| 6 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7260, GHSA-g4gc-rh26-m3p5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e85z-cn66-fye8 |
|
| 24 |
| url |
VCID-e9qa-sy57-fqby |
| vulnerability_id |
VCID-e9qa-sy57-fqby |
| summary |
Temporary Directory Hijacking Vulnerability in Keycloak
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13879 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14047 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14128 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14184 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13999 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14081 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14134 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14078 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14036 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13984 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20202, GHSA-6xp6-fmc8-pmmr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qa-sy57-fqby |
|
| 25 |
| url |
VCID-eaaa-ejr9-6ygx |
| vulnerability_id |
VCID-eaaa-ejr9-6ygx |
| summary |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7318 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80351 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.8037 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80323 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80355 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80304 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80349 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80378 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.8034 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.0139 |
| scoring_system |
epss |
| scoring_elements |
0.80312 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7318 |
|
| 5 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
|
| 6 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7318, GHSA-xmmm-jw76-q7vg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eaaa-ejr9-6ygx |
|
| 26 |
| url |
VCID-em5z-nvqy-fucp |
| vulnerability_id |
VCID-em5z-nvqy-fucp |
| summary |
Keycloak has Files or Directories Accessible to External Parties
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58464 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58484 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58466 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.5846 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58329 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58476 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58445 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58407 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58433 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58413 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 2 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 3 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 4 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 5 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 6 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 7 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 8 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 13 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 14 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 15 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 16 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@15.1.0 |
|
|
| aliases |
CVE-2021-3856, GHSA-3w4v-rvc4-2xpw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-em5z-nvqy-fucp |
|
| 27 |
| url |
VCID-engr-q4ge-53dc |
| vulnerability_id |
VCID-engr-q4ge-53dc |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6134 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85283 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85203 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85221 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85224 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85246 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85254 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85268 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85266 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85263 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6134 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6134, GHSA-cvg2-7c3j-g36j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-engr-q4ge-53dc |
|
| 28 |
| url |
VCID-epys-8p8v-zugv |
| vulnerability_id |
VCID-epys-8p8v-zugv |
| summary |
keycloak-core: open redirect via "form_post.jwt" JARM response mode
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6927 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74711 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74632 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74658 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74633 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74665 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74679 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74703 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74682 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00838 |
| scoring_system |
epss |
| scoring_elements |
0.74674 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6927 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6927, GHSA-3p75-q5cc-qmj7, GHSA-9vm7-v8wj-3fqw, GMS-2024-51
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-epys-8p8v-zugv |
|
| 29 |
| url |
VCID-fknh-1j7d-jyeq |
| vulnerability_id |
VCID-fknh-1j7d-jyeq |
| summary |
Improper authorization in Keycloak
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1466 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36626 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3658 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3652 |
| published_at |
2026-04-01T12:55:00Z |
|
| 3 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36723 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36692 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36604 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36638 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36632 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36613 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36561 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1466 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-1466, GHSA-f32v-vf79-p29q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fknh-1j7d-jyeq |
|
| 30 |
| url |
VCID-gjy5-c6by-2ufg |
| vulnerability_id |
VCID-gjy5-c6by-2ufg |
| summary |
Improper Handling of Exceptional Conditions
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1744 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56222 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56225 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56192 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56186 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56166 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56217 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56233 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56056 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56209 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56165 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1744 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 20 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 21 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 22 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 23 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 24 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 25 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 26 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 27 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 28 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 29 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 30 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 31 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 32 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.2 |
|
|
| aliases |
CVE-2020-1744, GHSA-4gf2-xv97-63m2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gjy5-c6by-2ufg |
|
| 31 |
| url |
VCID-gndk-728r-9yh7 |
| vulnerability_id |
VCID-gndk-728r-9yh7 |
| summary |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66117 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66129 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.6611 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66098 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66012 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66123 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66087 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66049 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66083 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66055 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 2 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 3 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 4 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 5 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 6 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 7 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 8 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 13 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 14 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 15 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 16 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@15.1.0 |
|
|
| aliases |
CVE-2021-3632, GHSA-qpq9-jpv4-6gwr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gndk-728r-9yh7 |
|
| 32 |
| url |
VCID-heqp-u355-wyaz |
| vulnerability_id |
VCID-heqp-u355-wyaz |
| summary |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-10039, GHSA-93ww-43rr-79v3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-heqp-u355-wyaz |
|
| 33 |
| url |
VCID-hgu6-1a6g-13bw |
| vulnerability_id |
VCID-hgu6-1a6g-13bw |
| summary |
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14637 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48575 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48521 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48517 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48539 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48512 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48525 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48455 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48492 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48514 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00252 |
| scoring_system |
epss |
| scoring_elements |
0.48467 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14637 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 4 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 5 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 6 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 7 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 8 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 9 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 10 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 11 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 12 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 13 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 14 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 15 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 16 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 17 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 18 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 19 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 20 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 21 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 22 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 23 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 24 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 25 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 26 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 27 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 28 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 29 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 30 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 31 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 32 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 33 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 34 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 35 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 36 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 37 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 38 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 39 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 40 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 41 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 42 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 43 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 44 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
|
|
| aliases |
CVE-2018-14637, GHSA-gf2j-7qwg-4f5x
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hgu6-1a6g-13bw |
|
| 34 |
| url |
VCID-j1rd-aem6-vfgj |
| vulnerability_id |
VCID-j1rd-aem6-vfgj |
| summary |
Keycloak vulnerable to Improper Certificate Validation
keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
This issue was partially fixed in version [13.0.1](https://github.com/keycloak/keycloak/pull/6330) and more completely fixed in version [14.0.0](https://github.com/keycloak/keycloak/pull/8067). |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-35509 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25039 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25025 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.2498 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24911 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25137 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25021 |
| published_at |
2026-04-01T12:55:00Z |
|
| 6 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24958 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24945 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24999 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25098 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-35509 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 15 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 16 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 17 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@14.0.0 |
|
|
| aliases |
CVE-2020-35509, GHSA-rpj2-w6fr-79hc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j1rd-aem6-vfgj |
|
| 35 |
| url |
VCID-kp25-fan9-jkd2 |
| vulnerability_id |
VCID-kp25-fan9-jkd2 |
| summary |
Keycloak allows cross-site scripting (XSS)
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4028 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29136 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29113 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29086 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29138 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29184 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29178 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00108 |
| scoring_system |
epss |
| scoring_elements |
0.29073 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.3563 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.35655 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4028 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-4028, GHSA-q4xq-445g-g6ch
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kp25-fan9-jkd2 |
|
| 36 |
| url |
VCID-kzc8-pgz7-6bep |
| vulnerability_id |
VCID-kzc8-pgz7-6bep |
| summary |
Keycloak Insufficient Session Expiry
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1724 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33377 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33342 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33365 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33369 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33323 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33403 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33314 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33451 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33406 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33482 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1724 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 20 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 21 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 22 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 23 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 24 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 25 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 26 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 27 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 28 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 29 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 30 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 31 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 32 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.2 |
|
|
| aliases |
CVE-2020-1724, GHSA-8xj2-47xw-q78c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kzc8-pgz7-6bep |
|
| 37 |
| url |
VCID-mumt-rvzk-w7d4 |
| vulnerability_id |
VCID-mumt-rvzk-w7d4 |
| summary |
Improper Authentication
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1718 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.5867 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58653 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58659 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58677 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58658 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58638 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58526 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.5861 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58631 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58601 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1718 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 5 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 25 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 26 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 27 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 28 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 29 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 30 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 31 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 32 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 33 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 34 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 35 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 36 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2020-1718, GHSA-j229-2h63-rvh9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mumt-rvzk-w7d4 |
|
| 38 |
| url |
VCID-n23y-qjaf-tfcm |
| vulnerability_id |
VCID-n23y-qjaf-tfcm |
| summary |
Keycloak XSS via use of malicious payload as group name when creating new group from admin console
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0225 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65469 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65353 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65401 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65428 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65391 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65444 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65455 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65474 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.6546 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00487 |
| scoring_system |
epss |
| scoring_elements |
0.65432 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0225 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-0225, GHSA-fqc7-5xxc-ph7r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n23y-qjaf-tfcm |
|
| 39 |
| url |
VCID-nhe2-8dtq-gqbf |
| vulnerability_id |
VCID-nhe2-8dtq-gqbf |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39737 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39721 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39743 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39661 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.3973 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39739 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39703 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39687 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhe2-8dtq-gqbf |
|
| 40 |
| url |
VCID-q38e-e4s5-nkb1 |
| vulnerability_id |
VCID-q38e-e4s5-nkb1 |
| summary |
This advisory has been marked as a False Positive and has been removed. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1714 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84274 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84252 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84255 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84261 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84243 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84237 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84214 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84196 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.02152 |
| scoring_system |
epss |
| scoring_elements |
0.84182 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1714 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@11.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@11.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 20 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 21 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 22 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 23 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 24 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 25 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 26 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 27 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 28 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 29 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@11.0.0 |
|
|
| aliases |
CVE-2020-1714, GHSA-m6mm-q862-j366
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q38e-e4s5-nkb1 |
|
| 41 |
| url |
VCID-qexf-7axp-9kas |
| vulnerability_id |
VCID-qexf-7axp-9kas |
| summary |
Improper Certificate Validation
It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10894 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1726 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17045 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17107 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17167 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17215 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17237 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1718 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1731 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17089 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17088 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10894 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 4 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 5 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 6 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 7 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 8 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 9 |
| vulnerability |
VCID-78nt-79j3-k3fh |
|
| 10 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 11 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 12 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 13 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 14 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 15 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 16 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 17 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 18 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 19 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 20 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 21 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 22 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 23 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 24 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 25 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 26 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 27 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 28 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 29 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 30 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 31 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 32 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 35 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 36 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 37 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 38 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 39 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 40 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 41 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 42 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 43 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 44 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 45 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 46 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 47 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
|
| 1 |
|
|
| aliases |
CVE-2018-10894, GHSA-xvv8-8wh9-9fh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qexf-7axp-9kas |
|
| 42 |
| url |
VCID-s6f1-tnbu-jfaq |
| vulnerability_id |
VCID-s6f1-tnbu-jfaq |
| summary |
Keycloak leaks sensitive information in logged exceptions
A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1698 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15561 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15724 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15752 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15818 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15621 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15706 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15765 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15734 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.157 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15635 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1698 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 25 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 26 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 27 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 28 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 29 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 30 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 31 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 32 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 33 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 34 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.0 |
|
|
| aliases |
CVE-2020-1698, GHSA-qgmm-f2qw-r95f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s6f1-tnbu-jfaq |
|
| 43 |
| url |
VCID-sghy-8wey-5yg5 |
| vulnerability_id |
VCID-sghy-8wey-5yg5 |
| summary |
Exposure of Sensitive Information to an Unauthorized Actor in Keycloak
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-14820 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.5421 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54151 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54203 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54199 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54248 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54231 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54129 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54146 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54176 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-14820 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 5 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 25 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 26 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 27 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 28 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 29 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 30 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 31 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 32 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 33 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 34 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 35 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 36 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-14820, GHSA-xfqh-7356-vqjj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sghy-8wey-5yg5 |
|
| 44 |
| url |
VCID-sk6p-vfu6-7kem |
| vulnerability_id |
VCID-sk6p-vfu6-7kem |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50616 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50565 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50518 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50573 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.5057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50612 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50589 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50574 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50481 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50537 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 27 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-10776, GHSA-484q-784p-8m5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sk6p-vfu6-7kem |
|
| 45 |
| url |
VCID-t22n-hvrb-67b5 |
| vulnerability_id |
VCID-t22n-hvrb-67b5 |
| summary |
Authentication Bypass in keycloak
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27826 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37685 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37719 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37744 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37622 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37687 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.377 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37666 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37638 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37538 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27826 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 27 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-27826, GHSA-m9cj-v55f-8x26
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t22n-hvrb-67b5 |
|
| 46 |
| url |
VCID-th5p-51pd-3ffg |
| vulnerability_id |
VCID-th5p-51pd-3ffg |
| summary |
Improper privilege management in Keycloak
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35337 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35358 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35321 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35299 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35177 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35378 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35403 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35285 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35331 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35356 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 25 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 26 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 27 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-14389, GHSA-c9x9-xv66-xp3v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-th5p-51pd-3ffg |
|
| 47 |
| url |
VCID-u5ba-kpd5-67bm |
| vulnerability_id |
VCID-u5ba-kpd5-67bm |
| summary |
Keycloak discloses information without authentication
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27838 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.9936 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99357 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99356 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99355 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99354 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99349 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99353 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99352 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27838 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 1 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 2 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 3 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 4 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 5 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 6 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 7 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 8 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 9 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 10 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 11 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 14 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 15 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 16 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 17 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 18 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-27838, GHSA-pcv5-m2wh-66j3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u5ba-kpd5-67bm |
|
| 48 |
| url |
VCID-v4pf-q8hu-8kda |
| vulnerability_id |
VCID-v4pf-q8hu-8kda |
| summary |
Improper Verification of Cryptographic Signature in keycloak
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10201 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33351 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33339 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33372 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33375 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33334 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33311 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33291 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33427 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33458 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33296 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10201 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 4 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 11 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 12 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 13 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 14 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 15 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 16 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 17 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 18 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 19 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 20 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 21 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 22 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 23 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 24 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 25 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 26 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 27 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 28 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 29 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 30 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 31 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 32 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 33 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 34 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 35 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 36 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 37 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 38 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 39 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 40 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-10201, GHSA-4fgq-gq9g-3rw7
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v4pf-q8hu-8kda |
|
| 49 |
| url |
VCID-vnp3-9ddj-qfa2 |
| vulnerability_id |
VCID-vnp3-9ddj-qfa2 |
| summary |
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14658 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47125 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47013 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47068 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47064 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47088 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47062 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47009 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47046 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47066 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14658 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-28sw-q8sc-5ugs |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 4 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 5 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 6 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 7 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 8 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 9 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 10 |
| vulnerability |
VCID-7mm5-8378-rua3 |
|
| 11 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 12 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 13 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 14 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 15 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 16 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 17 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 18 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 19 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 20 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 21 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 22 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 23 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 24 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 25 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 26 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 27 |
| vulnerability |
VCID-hgu6-1a6g-13bw |
|
| 28 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 29 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 30 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 31 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 32 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 35 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 36 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 37 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 38 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 39 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 40 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 41 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 42 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 43 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 44 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 45 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 46 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 47 |
| vulnerability |
VCID-ysrd-zv5b-wfeg |
|
| 48 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
|
|
| aliases |
CVE-2018-14658, GHSA-3qh2-mccc-q5m6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vnp3-9ddj-qfa2 |
|
| 50 |
| url |
VCID-xdxx-tdkj-wbba |
| vulnerability_id |
VCID-xdxx-tdkj-wbba |
| summary |
Improper Certificate Validation
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48804 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.4875 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48704 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48759 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48756 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48773 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48747 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48755 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48685 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48724 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 20 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 21 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 22 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 23 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 24 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 25 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 26 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 27 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 28 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 29 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 30 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@10.0.0 |
|
|
| aliases |
CVE-2020-1758, GHSA-c597-f74m-jgc2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xdxx-tdkj-wbba |
|
| 51 |
| url |
VCID-y1jz-hqab-pycq |
| vulnerability_id |
VCID-y1jz-hqab-pycq |
| summary |
XSS in Keycloak
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1697 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51729 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51681 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51678 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51726 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51704 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51688 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.5159 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51642 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51667 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51627 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1697 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 25 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 26 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 27 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 28 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 29 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 30 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 31 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 32 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 33 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 34 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.0 |
|
|
| aliases |
CVE-2020-1697, GHSA-8vf3-4w62-m3pq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y1jz-hqab-pycq |
|
| 52 |
| url |
VCID-yaxc-7za7-zbbe |
| vulnerability_id |
VCID-yaxc-7za7-zbbe |
| summary |
Keycloak vulnerable to untrusted certificate validation
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-1664 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48731 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48756 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48742 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48787 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48738 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48739 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48709 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48734 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48688 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-1664 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-1664, GHSA-5cc8-pgp5-7mpm, GHSA-c892-cwq6-qrqf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yaxc-7za7-zbbe |
|
| 53 |
| url |
VCID-yp87-przu-bbbg |
| vulnerability_id |
VCID-yp87-przu-bbbg |
| summary |
Improper Restriction of Rendered UI Layers or Frames in Keycloak
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1728 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32985 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.33097 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32927 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32973 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.33003 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.33006 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32968 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32943 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32935 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.33064 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1728 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2020-1728 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:M/Au:N/C:P/I:P/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 2 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2020-1728 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 5 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 6 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 7 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 8 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 9 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 20 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 21 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 22 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 23 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 24 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 25 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 26 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 27 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 28 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 29 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 30 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@10.0.0 |
|
|
| aliases |
CVE-2020-1728, GHSA-3gg7-9q2x-79fc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yp87-przu-bbbg |
|
| 54 |
| url |
VCID-ysrd-zv5b-wfeg |
| vulnerability_id |
VCID-ysrd-zv5b-wfeg |
| summary |
Information Exposure
Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.5095 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50908 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50934 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50891 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50948 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50946 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50988 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50967 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.5085 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3868 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@6.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@6.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-3ncm-zz6v-2ua2 |
|
| 4 |
| vulnerability |
VCID-3ued-3fnw-a7h7 |
|
| 5 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 6 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 7 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 8 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 9 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 10 |
| vulnerability |
VCID-96mj-gt5k-23ck |
|
| 11 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 12 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 13 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 14 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 15 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 16 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 17 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 18 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 19 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 20 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 21 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 22 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 23 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 24 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 25 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 26 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 27 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 28 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 29 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 30 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 31 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 32 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 33 |
| vulnerability |
VCID-sghy-8wey-5yg5 |
|
| 34 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 35 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 36 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 37 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 38 |
| vulnerability |
VCID-v4pf-q8hu-8kda |
|
| 39 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 40 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 41 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 42 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
| 43 |
| vulnerability |
VCID-yzy7-9vf5-tfht |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@6.0.0 |
|
|
| aliases |
CVE-2019-3868, GHSA-gc52-xj6p-9pxp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ysrd-zv5b-wfeg |
|
| 55 |
| url |
VCID-yzy7-9vf5-tfht |
| vulnerability_id |
VCID-yzy7-9vf5-tfht |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10170 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.73012 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72945 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.7292 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72958 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72972 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72997 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72977 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.7297 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72913 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.72925 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10170 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 2 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 3 |
| vulnerability |
VCID-49qw-j7rn-qfdf |
|
| 4 |
| vulnerability |
VCID-5apu-r7pn-byet |
|
| 5 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 6 |
| vulnerability |
VCID-7j7q-m1zp-zfac |
|
| 7 |
| vulnerability |
VCID-7xuf-btg3-ckf6 |
|
| 8 |
| vulnerability |
VCID-c8ps-95au-zbg5 |
|
| 9 |
| vulnerability |
VCID-cp2f-bjsx-nkfm |
|
| 10 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 11 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 12 |
| vulnerability |
VCID-e85z-cn66-fye8 |
|
| 13 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 14 |
| vulnerability |
VCID-eaaa-ejr9-6ygx |
|
| 15 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 16 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 17 |
| vulnerability |
VCID-epys-8p8v-zugv |
|
| 18 |
| vulnerability |
VCID-fknh-1j7d-jyeq |
|
| 19 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 20 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 21 |
| vulnerability |
VCID-heqp-u355-wyaz |
|
| 22 |
| vulnerability |
VCID-j1rd-aem6-vfgj |
|
| 23 |
| vulnerability |
VCID-kp25-fan9-jkd2 |
|
| 24 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 25 |
| vulnerability |
VCID-n23y-qjaf-tfcm |
|
| 26 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 27 |
| vulnerability |
VCID-q38e-e4s5-nkb1 |
|
| 28 |
| vulnerability |
VCID-s6f1-tnbu-jfaq |
|
| 29 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 30 |
| vulnerability |
VCID-t22n-hvrb-67b5 |
|
| 31 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 32 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 33 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 34 |
| vulnerability |
VCID-y1jz-hqab-pycq |
|
| 35 |
| vulnerability |
VCID-yaxc-7za7-zbbe |
|
| 36 |
| vulnerability |
VCID-yp87-przu-bbbg |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-10170, GHSA-7m27-3587-83xf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yzy7-9vf5-tfht |
|