| 0 |
| url |
VCID-14c3-xa9j-mbab |
| vulnerability_id |
VCID-14c3-xa9j-mbab |
| summary |
Incorrect implementation of lockout feature in Keycloak
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42201 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42238 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42214 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42189 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42225 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42174 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42156 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42216 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42207 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.4213 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 26 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 27 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 28 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 29 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 30 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 31 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 32 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 33 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 34 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 35 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 36 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 37 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 38 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 39 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 40 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 41 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 42 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 43 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 44 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 45 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 46 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 47 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 48 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 49 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 50 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 51 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 52 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 53 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 54 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 55 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 56 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 57 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 58 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 59 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@13.0.0 |
|
|
| aliases |
CVE-2021-3513, GHSA-xv7h-95r7-595j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-14c3-xa9j-mbab |
|
| 1 |
| url |
VCID-2dgp-xdrz-q7dv |
| vulnerability_id |
VCID-2dgp-xdrz-q7dv |
| summary |
Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.
### Original Description
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-qj5r-2r5p-phc7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2dgp-xdrz-q7dv |
|
| 2 |
| url |
VCID-2dgt-7k4f-fyce |
| vulnerability_id |
VCID-2dgt-7k4f-fyce |
| summary |
Keycloak path traversal vulnerability in the redirect validation
An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2419 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21186 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21106 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21165 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21154 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21163 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21216 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21257 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21248 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21297 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21352 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2419 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-2419, GHSA-mrv8-pqfj-7gp5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2dgt-7k4f-fyce |
|
| 3 |
| url |
VCID-2xyb-g3n4-n3ca |
| vulnerability_id |
VCID-2xyb-g3n4-n3ca |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.74741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.7475 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00842 |
| scoring_system |
epss |
| scoring_elements |
0.74771 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75046 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75012 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75036 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75007 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00861 |
| scoring_system |
epss |
| scoring_elements |
0.75004 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00978 |
| scoring_system |
epss |
| scoring_elements |
0.76771 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00978 |
| scoring_system |
epss |
| scoring_elements |
0.76766 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@20.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@20.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 10 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 11 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 12 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 13 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 14 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 15 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 16 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 17 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 18 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 19 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 20 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 21 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 22 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 23 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 24 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 25 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 26 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 27 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 28 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 29 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 30 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 31 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 32 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 33 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 34 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 35 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 36 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 37 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 38 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 39 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 40 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 41 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 42 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 43 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 44 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 45 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 46 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 47 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 48 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 49 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@20.0.5 |
|
|
| aliases |
CVE-2022-1274, GHSA-m4fv-gm5m-4725, GMS-2023-528
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2xyb-g3n4-n3ca |
|
| 4 |
| url |
VCID-3248-31p8-tyd4 |
| vulnerability_id |
VCID-3248-31p8-tyd4 |
| summary |
Incorrect Authorization
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3011 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30188 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30272 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3009 |
| published_at |
2026-04-18T12:55:00Z |
|
| 4 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30186 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30145 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30193 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30095 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30223 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 26 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 27 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 28 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 29 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 30 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 31 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 32 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 33 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 34 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 35 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 36 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 37 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 38 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 39 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 40 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 41 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 42 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 43 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 44 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 45 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 46 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 47 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 48 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 49 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 50 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 51 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 52 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 53 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 54 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 55 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 56 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 57 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 58 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 59 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@13.0.0 |
|
|
| aliases |
CVE-2020-1725, GHSA-p225-pc2x-4jpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3248-31p8-tyd4 |
|
| 5 |
| url |
VCID-3bcu-tbpy-gfg6 |
| vulnerability_id |
VCID-3bcu-tbpy-gfg6 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20323 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.9852 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98504 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98506 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98509 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98511 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98514 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98513 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98519 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.66054 |
| scoring_system |
epss |
| scoring_elements |
0.98502 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20323 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@17.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@17.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 4 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 5 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 6 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 7 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 8 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 9 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 10 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 11 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 12 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 13 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 14 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 15 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 16 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 17 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 18 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 19 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 20 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 21 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 22 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 23 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 24 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 25 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 26 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 27 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 28 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 29 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 30 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 31 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 32 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 33 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 34 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 35 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 36 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 37 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 38 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 39 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 40 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 41 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 42 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 43 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 44 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 45 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 46 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 47 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 48 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 49 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 50 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 51 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 52 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 53 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 54 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 55 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@17.0.0 |
|
|
| aliases |
CVE-2021-20323, GHSA-xpgc-j48j-jwv9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| url |
VCID-3sh8-6vsc-1uae |
| vulnerability_id |
VCID-3sh8-6vsc-1uae |
| summary |
Keycloak vulnerable to impersonation via logout token exchange
Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0657 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12178 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12024 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12224 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1704 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16873 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16871 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16934 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16993 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17006 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17065 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0657 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-0657, GHSA-7fpj-9hr8-28vh
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3sh8-6vsc-1uae |
|
| 7 |
| url |
VCID-41hy-n7tz-3bee |
| vulnerability_id |
VCID-41hy-n7tz-3bee |
| summary |
Keycloak's admin API allows low privilege users to use administrative functions
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3656 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.9956 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99561 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99559 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99562 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99563 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99564 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3656 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 28 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
CVE-2024-3656, GHSA-2cww-fgmg-4jqc
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-41hy-n7tz-3bee |
|
| 8 |
| url |
VCID-44rr-5gtu-bfev |
| vulnerability_id |
VCID-44rr-5gtu-bfev |
| summary |
Keycloak is vulnerable to IDN homograph attack
A flaw was found in keycloak, where IDN homograph attacks are possible. This flaw allows a malicious user to register a name that already exists and then tricking an admin to grant extra privileges. The highest threat from this vulnerability is to integrity. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 4 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 5 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 6 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 7 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 8 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 9 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 10 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 11 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 12 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 13 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 14 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 15 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 16 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 17 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 18 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 19 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 20 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 21 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 22 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 23 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 24 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 25 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 26 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 27 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 28 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 29 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 30 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 31 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 32 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 35 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 36 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 37 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 38 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 39 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 40 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 41 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 42 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 43 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 44 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 45 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 46 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 47 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 48 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 49 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 50 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 51 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 52 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@18.0.0 |
|
|
| aliases |
GHSA-mwm4-5qwr-g9pf, GMS-2022-1099
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-44rr-5gtu-bfev |
|
| 9 |
| url |
VCID-4p6v-j4up-2ye2 |
| vulnerability_id |
VCID-4p6v-j4up-2ye2 |
| summary |
keycloak: missing input validation in IDP authorization URLs |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1727 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40003 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.4015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40176 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40098 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40163 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40173 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40136 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40116 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40166 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00184 |
| scoring_system |
epss |
| scoring_elements |
0.40137 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1727 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 26 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 27 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 28 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 29 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 30 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 31 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 32 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 33 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 34 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 35 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 36 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 37 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 38 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 39 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 40 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 41 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 42 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 43 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 44 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 45 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 46 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 47 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 48 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 49 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 50 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 54 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 55 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 56 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 57 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 58 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 59 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 60 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 61 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 62 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 63 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 64 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 65 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 66 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 67 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 68 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 69 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@9.0.2 |
|
|
| aliases |
CVE-2020-1727
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4p6v-j4up-2ye2 |
|
| 10 |
| url |
VCID-5f8r-n4mm-y3g6 |
| vulnerability_id |
VCID-5f8r-n4mm-y3g6 |
| summary |
Keycloak phishing attack via email verification step in first login flow
There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity.
This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:11986 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:11986 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:11987 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:11987 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:12015 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:12015 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:12016 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:12016 |
|
| 4 |
|
| 5 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2025-7365 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2025-7365 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-7365 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02484 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02498 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03277 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03362 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03382 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03341 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03312 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03267 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03357 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03291 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-7365 |
|
| 7 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 2 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 3 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 4 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 5 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 6 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 7 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 8 |
| vulnerability |
VCID-edwz-rqc3-fqa2 |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 15 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 16 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 17 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 18 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 19 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 20 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 21 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.0 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-7365, GHSA-xhpr-465j-7p9q
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| url |
VCID-5vwq-aqk5-nkh9 |
| vulnerability_id |
VCID-5vwq-aqk5-nkh9 |
| summary |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1190 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03614 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04592 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04549 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0454 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04564 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0458 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04597 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04608 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04543 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04557 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1190 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1190, GHSA-63v5-26vq-m4vm
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| url |
VCID-5zh4-963a-q3gp |
| vulnerability_id |
VCID-5zh4-963a-q3gp |
| summary |
Keycloak vulnerable to session takeovers due to reuse of session identifiers
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:21370 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:21370 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:21371 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:21371 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:22088 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:22088 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:22089 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:22089 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12390 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0135 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01345 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03043 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03101 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03106 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03131 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03093 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03069 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03057 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03033 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12390 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2406793 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2406793 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://github.com/keycloak/keycloak/issues/43853 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://github.com/keycloak/keycloak/issues/43853 |
|
| 15 |
|
| 16 |
|
| 17 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2025-12390 |
| reference_id |
CVE-2025-12390 |
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2025-12390 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 4 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 5 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 6 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 7 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 8 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 15 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 16 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 17 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 18 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 19 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 20 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 21 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 22 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 23 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.0 |
|
|
| aliases |
CVE-2025-12390, GHSA-rg35-5v25-mqvp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5zh4-963a-q3gp |
|
| 13 |
| url |
VCID-6hy1-r23s-cbhy |
| vulnerability_id |
VCID-6hy1-r23s-cbhy |
| summary |
Duplicate Advisory: Keycloak Open Redirect vulnerability
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references.
# Original Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 5 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 6 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 7 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 8 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 9 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 10 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 11 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 12 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 13 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 14 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 15 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 16 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 17 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 18 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 19 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 20 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 21 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 22 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 23 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 24 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.6 |
|
|
| aliases |
GHSA-vvf8-2h68-9475
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6hy1-r23s-cbhy |
|
| 14 |
| url |
VCID-6s4w-hv7a-ffaw |
| vulnerability_id |
VCID-6s4w-hv7a-ffaw |
| summary |
Keycloak vulnerable to Server-Side Request Forgery
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10770 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99719 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99718 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.9972 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.92282 |
| scoring_system |
epss |
| scoring_elements |
0.99717 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10770 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@12.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@12.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 15 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 16 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 17 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 18 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 19 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 20 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 21 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 22 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 23 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 24 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 25 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 26 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 27 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 28 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 29 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 30 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 31 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 32 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 33 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 34 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 35 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 36 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 37 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 38 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 39 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 40 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 41 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 42 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 43 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 44 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 45 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 46 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 47 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 48 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 49 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 50 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 51 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 52 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 53 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 54 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 55 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 56 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 57 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 58 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 59 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 60 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 61 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 62 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 63 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 64 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 65 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@12.0.2 |
|
|
| aliases |
CVE-2020-10770, GHSA-jh7q-5mwf-qvhw
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6s4w-hv7a-ffaw |
|
| 15 |
| url |
VCID-7c1j-kcbb-v3f1 |
| vulnerability_id |
VCID-7c1j-kcbb-v3f1 |
| summary |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3911 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01414 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01407 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01402 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01408 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01413 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01773 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01788 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01786 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01775 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3911 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3911, GHSA-xh32-c9wx-phrp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| url |
VCID-83en-fek9-4qd7 |
| vulnerability_id |
VCID-83en-fek9-4qd7 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-4361 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01293 |
| scoring_system |
epss |
| scoring_elements |
0.79705 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.01293 |
| scoring_system |
epss |
| scoring_elements |
0.79676 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.01293 |
| scoring_system |
epss |
| scoring_elements |
0.79683 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.01293 |
| scoring_system |
epss |
| scoring_elements |
0.79699 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.01293 |
| scoring_system |
epss |
| scoring_elements |
0.79678 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.01293 |
| scoring_system |
epss |
| scoring_elements |
0.79671 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01624 |
| scoring_system |
epss |
| scoring_elements |
0.81792 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.01624 |
| scoring_system |
epss |
| scoring_elements |
0.81814 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01624 |
| scoring_system |
epss |
| scoring_elements |
0.81812 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-4361 |
|
| 2 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2151618 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
|
| 1 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-12T19:43:33Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2151618 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 20 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 21 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 22 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 23 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 24 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 25 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 26 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 27 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 28 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 29 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 30 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 31 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 32 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 33 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 34 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 35 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 36 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 37 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 38 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 39 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 40 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 41 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 42 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 43 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 44 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 45 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 46 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.1.2 |
|
|
| aliases |
CVE-2022-4361, GHSA-3p62-6fjh-3p5h
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-83en-fek9-4qd7 |
|
| 17 |
| url |
VCID-91gs-k267-3kbq |
| vulnerability_id |
VCID-91gs-k267-3kbq |
| summary |
Keycloak vulnerable to session hijacking via re-authentication
A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6787 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.59694 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.59715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.5967 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.59664 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62175 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62156 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62192 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62143 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62187 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62164 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6787 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6787, GHSA-c9h6-v78w-52wj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-91gs-k267-3kbq |
|
| 18 |
| url |
VCID-98yf-g4d3-u3g8 |
| vulnerability_id |
VCID-98yf-g4d3-u3g8 |
| summary |
Keycloak is vulnerable to IDN homograph attack
A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3424 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37303 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37432 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37261 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37312 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37324 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37335 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37301 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37273 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.3732 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37242 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00164 |
| scoring_system |
epss |
| scoring_elements |
0.37408 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3424 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 4 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 5 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 6 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 7 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 8 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 9 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 10 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 11 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 12 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 13 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 14 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 15 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 16 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 17 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 18 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 19 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 20 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 21 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 22 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 23 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 24 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 25 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 26 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 27 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 28 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 29 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 30 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 31 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 32 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 35 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 36 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 37 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 38 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 39 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 40 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 41 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 42 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 43 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 44 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 45 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 46 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 47 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 48 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 49 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 50 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 51 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 52 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@18.0.0 |
|
|
| aliases |
CVE-2021-3424, GHSA-pf38-cw3p-22q9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-98yf-g4d3-u3g8 |
|
| 19 |
| url |
VCID-9wzh-7ych-y7c6 |
| vulnerability_id |
VCID-9wzh-7ych-y7c6 |
| summary |
Keycloak vulnerable to log Injection during WebAuthn authentication or registration
A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.
Acknowledgements:
Special thanks toTheresa Henze for reporting this issue and helping us improve our security. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6484 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56564 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56595 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56543 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56544 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63231 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63239 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63195 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63247 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6484 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 11 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 12 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 13 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 14 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 15 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 16 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 17 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 18 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 19 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 20 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 21 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 22 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 23 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 24 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 25 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 26 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 27 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 28 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 29 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 30 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 31 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 32 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 33 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 34 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 35 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 36 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 37 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 38 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 39 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 40 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 41 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 42 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.5 |
|
|
| aliases |
CVE-2023-6484, GHSA-j628-q885-8gr5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9wzh-7ych-y7c6 |
|
| 20 |
| url |
VCID-ajcu-s4zn-63cn |
| vulnerability_id |
VCID-ajcu-s4zn-63cn |
| summary |
Keycloak secondary factor bypass in step-up authentication
Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1866 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1866 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 3 |
|
| 4 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-3597 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-3597 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-3597 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25769 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25871 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25881 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.2584 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25784 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25786 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28573 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28375 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28531 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28441 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-3597 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2221760 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2221760 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-3597, GHSA-4f53-xh3v-g8x4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ajcu-s4zn-63cn |
|
| 21 |
| url |
VCID-bhrr-nn9f-7udu |
| vulnerability_id |
VCID-bhrr-nn9f-7udu |
| summary |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5jfq-x6xp-7rw2. This link is maintained to preserve external references.
# Original Description
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-fx44-2wx5-5fvp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bhrr-nn9f-7udu |
|
| 22 |
| url |
VCID-by72-dvnw-m3gu |
| vulnerability_id |
VCID-by72-dvnw-m3gu |
| summary |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-2559 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29505 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29687 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29508 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29571 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.2961 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29612 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29567 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29514 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29533 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29637 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-2559 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 2 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 3 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 4 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 5 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 6 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 7 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 8 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 9 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 10 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 11 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 12 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 13 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 14 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 15 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 16 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 17 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 18 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 19 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.5 |
|
|
| aliases |
CVE-2025-2559, GHSA-2935-2wfm-hhpv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-by72-dvnw-m3gu |
|
| 23 |
| url |
VCID-cdsa-wmby-ebbq |
| vulnerability_id |
VCID-cdsa-wmby-ebbq |
| summary |
Duplicate Advisory: Keycloak hostname verification
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.
# Original Description
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-r934-w73g-v4p8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cdsa-wmby-ebbq |
|
| 24 |
| url |
VCID-cgf7-vbkd-cua6 |
| vulnerability_id |
VCID-cgf7-vbkd-cua6 |
| summary |
Keycloak's improper input validation allows using email as username
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3754 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93897 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93832 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93841 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.9385 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93853 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93861 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93865 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.9387 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93869 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93891 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3754 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 11 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 12 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 13 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 14 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 15 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 16 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 17 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 18 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 19 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 20 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 21 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 22 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 23 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 24 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 25 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 26 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 27 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 28 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 29 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 30 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 31 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 32 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 33 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 34 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 35 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 36 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 37 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 38 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 39 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 40 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.1 |
|
|
| aliases |
CVE-2021-3754, GHSA-4vc8-pg5c-vg4x
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cgf7-vbkd-cua6 |
|
| 25 |
| url |
VCID-d2rd-6u56-yfd8 |
| vulnerability_id |
VCID-d2rd-6u56-yfd8 |
| summary |
Keycloak vulnerable to two factor authentication bypass
# Description
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3910 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22169 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22292 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22336 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22121 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22204 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22258 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22277 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22235 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22175 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3910 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-3910, GHSA-5jfq-x6xp-7rw2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d2rd-6u56-yfd8 |
|
| 26 |
| url |
VCID-d6ku-ys87-cqh4 |
| vulnerability_id |
VCID-d6ku-ys87-cqh4 |
| summary |
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8883 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89855 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89801 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89815 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89819 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89836 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89843 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89849 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89847 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.8984 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89854 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8883 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 5 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 6 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 7 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 8 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 9 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 10 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 11 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 12 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 13 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 14 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 15 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 16 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 17 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 18 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 19 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 20 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 21 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 22 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 23 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 24 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.6 |
|
|
| aliases |
CVE-2024-8883, GHSA-w8gr-xwp4-r9f7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d6ku-ys87-cqh4 |
|
| 27 |
| url |
VCID-djwn-hkwg-g3gk |
| vulnerability_id |
VCID-djwn-hkwg-g3gk |
| summary |
keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36059 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36287 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36123 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36172 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3619 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36196 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36159 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36133 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.36175 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3616 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 26 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 27 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 28 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 29 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 30 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 31 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 32 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 33 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 34 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 35 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 36 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 37 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 38 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 39 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 40 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 41 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 42 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 43 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 44 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 45 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 46 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 47 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 48 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 49 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 50 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 51 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 52 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 53 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 54 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 55 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 56 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 57 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 58 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 59 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@13.0.0 |
|
|
| aliases |
CVE-2020-14302
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-djwn-hkwg-g3gk |
|
| 28 |
| url |
VCID-dxj3-8sk5-mfdy |
| vulnerability_id |
VCID-dxj3-8sk5-mfdy |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45477 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45418 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45438 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45382 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45437 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45458 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45428 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45481 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@20.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@20.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 4 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 5 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 6 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 7 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 8 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 9 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 10 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 11 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 12 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 13 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 14 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 15 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 16 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 17 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 18 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 19 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 20 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 21 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 22 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 23 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 24 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 25 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 26 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 27 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 28 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 29 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 30 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 31 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 32 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 33 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 34 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 35 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 36 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 37 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 38 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 39 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 40 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 41 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 42 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 43 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 44 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 45 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 46 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 47 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 48 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 49 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 50 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 51 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@20.0.2 |
|
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dxj3-8sk5-mfdy |
|
| 29 |
| url |
VCID-e4ub-v4ef-affb |
| vulnerability_id |
VCID-e4ub-v4ef-affb |
| summary |
Keycloak hostname verification
A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25879 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.26058 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.26099 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25867 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25936 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25988 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25998 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25954 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25895 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25898 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3501 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-3501, GHSA-hw58-3793-42gg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e4ub-v4ef-affb |
|
| 30 |
| url |
VCID-e9qa-sy57-fqby |
| vulnerability_id |
VCID-e9qa-sy57-fqby |
| summary |
Temporary Directory Hijacking Vulnerability in Keycloak
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13871 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13879 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13984 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.13999 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14128 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14184 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14081 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14036 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14078 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14047 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14134 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 26 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 27 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 28 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 29 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 30 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 31 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 32 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 33 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 34 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 35 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 36 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 37 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 38 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 39 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 40 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 41 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 42 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 43 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 44 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 45 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 46 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 47 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 48 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 49 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 50 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 51 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 52 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 53 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 54 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 55 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 56 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 57 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 58 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 59 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@13.0.0 |
|
|
| aliases |
CVE-2021-20202, GHSA-6xp6-fmc8-pmmr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qa-sy57-fqby |
|
| 31 |
| url |
VCID-em5z-nvqy-fucp |
| vulnerability_id |
VCID-em5z-nvqy-fucp |
| summary |
Keycloak has Files or Directories Accessible to External Parties
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58445 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58464 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58484 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58466 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58413 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58481 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58476 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.5846 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58407 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58329 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58433 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 26 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 27 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 28 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 29 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 30 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 31 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 32 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 33 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 34 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 35 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 36 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 37 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 38 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 39 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 40 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 41 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 42 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 43 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 44 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 45 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 46 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 47 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 48 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 49 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 50 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 51 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 52 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 53 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 54 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 55 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 56 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 57 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@15.1.0 |
|
|
| aliases |
CVE-2021-3856, GHSA-3w4v-rvc4-2xpw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-em5z-nvqy-fucp |
|
| 32 |
| url |
VCID-engr-q4ge-53dc |
| vulnerability_id |
VCID-engr-q4ge-53dc |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6134 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85284 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85203 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85221 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85224 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85246 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85254 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85268 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85266 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85263 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.02468 |
| scoring_system |
epss |
| scoring_elements |
0.85283 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6134 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 20 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 22 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 23 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 24 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 25 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 26 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 27 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 28 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 29 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 30 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 31 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 32 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 33 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 34 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 35 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 36 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 37 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 38 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 39 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 40 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 41 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 42 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 43 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 44 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
| 45 |
| vulnerability |
VCID-zp22-a33x-bqfq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 20 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 22 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 23 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 24 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 25 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 26 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 27 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 28 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 29 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 30 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 31 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 32 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 33 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 34 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 35 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 36 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 37 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 38 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 39 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 40 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 41 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 42 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 43 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.3 |
|
|
| aliases |
CVE-2023-6134, GHSA-cvg2-7c3j-g36j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-engr-q4ge-53dc |
|
| 33 |
| url |
VCID-ezqk-pyhr-5ffj |
| vulnerability_id |
VCID-ezqk-pyhr-5ffj |
| summary |
Keycloak has session fixation in Elytron SAML adapters
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7341 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82525 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.8243 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82448 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82444 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82471 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82478 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82496 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82492 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82487 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82524 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7341 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 13 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 14 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 15 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 16 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 17 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 18 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 19 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 20 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 21 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 22 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 23 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 24 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 25 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 26 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.5 |
|
|
| aliases |
CVE-2024-7341, GHSA-5rxp-2rhr-qwqv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ezqk-pyhr-5ffj |
|
| 34 |
| url |
VCID-gjy5-c6by-2ufg |
| vulnerability_id |
VCID-gjy5-c6by-2ufg |
| summary |
Improper Handling of Exceptional Conditions
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1744 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56217 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56227 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56225 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56166 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56222 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56192 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56056 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56209 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56233 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56165 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56186 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1744 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 26 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 27 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 28 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 29 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 30 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 31 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 32 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 33 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 34 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 35 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 36 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 37 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 38 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 39 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 40 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 41 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 42 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 43 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 44 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 45 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 46 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 47 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 48 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 49 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 50 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 54 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 55 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 56 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 57 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 58 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 59 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 60 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 61 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 62 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 63 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 64 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 65 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 66 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 67 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 68 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 69 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@9.0.2 |
|
|
| aliases |
CVE-2020-1744, GHSA-4gf2-xv97-63m2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gjy5-c6by-2ufg |
|
| 35 |
| url |
VCID-gndk-728r-9yh7 |
| vulnerability_id |
VCID-gndk-728r-9yh7 |
| summary |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66137 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66012 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66055 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66083 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66049 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66098 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.6611 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66129 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66117 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66087 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66123 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 26 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 27 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 28 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 29 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 30 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 31 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 32 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 33 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 34 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 35 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 36 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 37 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 38 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 39 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 40 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 41 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 42 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 43 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 44 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 45 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 46 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 47 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 48 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 49 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 50 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 51 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 52 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 53 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 54 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 55 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 56 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 57 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@15.1.0 |
|
|
| aliases |
CVE-2021-3632, GHSA-qpq9-jpv4-6gwr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gndk-728r-9yh7 |
|
| 36 |
| url |
VCID-gnxr-2t9g-4ye4 |
| vulnerability_id |
VCID-gnxr-2t9g-4ye4 |
| summary |
Keycloak SMTP Inject Vulnerability
Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8419 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05423 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05458 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05415 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05384 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05478 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05908 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.0595 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05941 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05932 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05897 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8419 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-8419, GHSA-m4j5-5x4r-2xp9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gnxr-2t9g-4ye4 |
|
| 37 |
| url |
VCID-gzz6-md9v-b3em |
| vulnerability_id |
VCID-gzz6-md9v-b3em |
| summary |
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3009 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07718 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07686 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09089 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09121 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0909 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09009 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09076 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.08971 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0895 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0912 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3009 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3009, GHSA-m297-3jv9-m927
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gzz6-md9v-b3em |
|
| 38 |
| url |
VCID-htax-rbrs-mbdu |
| vulnerability_id |
VCID-htax-rbrs-mbdu |
| summary |
Keycloak Denial of Service via account lockout
In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1722 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61158 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61171 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61151 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61093 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61135 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61121 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61087 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61185 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61179 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61139 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1722 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 11 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 12 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 13 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 14 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 15 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 16 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 17 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 18 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 19 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 20 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 21 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 22 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 23 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 24 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 25 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 26 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 27 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 28 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 29 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 30 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 31 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 32 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 33 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 34 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 35 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 36 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 37 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 38 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 39 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 40 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 41 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.0 |
|
|
| aliases |
CVE-2024-1722, GHSA-cq42-vhv7-xr7p
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-htax-rbrs-mbdu |
|
| 39 |
| url |
VCID-j4ar-u2rr-qkfu |
| vulnerability_id |
VCID-j4ar-u2rr-qkfu |
| summary |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4540 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50885 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50799 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50824 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50782 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50839 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50837 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50879 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50856 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50841 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4540 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 28 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
CVE-2024-4540, GHSA-69fp-7c8p-crjr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j4ar-u2rr-qkfu |
|
| 40 |
| url |
VCID-jh5h-pp29-1kbr |
| vulnerability_id |
VCID-jh5h-pp29-1kbr |
| summary |
Client Spoofing within the Keycloak Device Authorisation Grant
Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-2585 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.2974 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29872 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29918 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29734 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29796 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29831 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29841 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29795 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29744 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00112 |
| scoring_system |
epss |
| scoring_elements |
0.29762 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-2585 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 20 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 21 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 22 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 23 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 24 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 25 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 26 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 27 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 28 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 29 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 30 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 31 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 32 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 33 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 34 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 35 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 36 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 37 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 38 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 39 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 40 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 41 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 42 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 43 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 44 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 45 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 46 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.1.2 |
|
|
| aliases |
CVE-2023-2585, GHSA-f5h4-wmp5-xhg6
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jh5h-pp29-1kbr |
|
| 41 |
| url |
VCID-ju1d-vwgb-bqbn |
| vulnerability_id |
VCID-ju1d-vwgb-bqbn |
| summary |
Keycloak Authorization Bypass vulnerability
Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.
#### Acknowledgements:
Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6544 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.76983 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.77002 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.76973 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.77015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79818 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79791 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79813 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79797 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79789 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79817 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6544 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6544, GHSA-46c8-635v-68r2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ju1d-vwgb-bqbn |
|
| 42 |
| url |
VCID-kzc8-pgz7-6bep |
| vulnerability_id |
VCID-kzc8-pgz7-6bep |
| summary |
Keycloak Insufficient Session Expiry
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1724 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33353 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33377 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33342 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33403 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33369 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33406 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33314 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33451 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33365 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33482 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33323 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1724 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 26 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 27 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 28 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 29 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 30 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 31 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 32 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 33 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 34 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 35 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 36 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 37 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 38 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 39 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 40 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 41 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 42 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 43 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 44 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 45 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 46 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 47 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 48 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 49 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 50 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 54 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 55 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 56 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 57 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 58 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 59 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 60 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 61 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 62 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 63 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 64 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 65 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 66 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 67 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 68 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 69 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@9.0.2 |
|
|
| aliases |
CVE-2020-1724, GHSA-8xj2-47xw-q78c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kzc8-pgz7-6bep |
|
| 43 |
| url |
VCID-m3uj-4mag-kbf2 |
| vulnerability_id |
VCID-m3uj-4mag-kbf2 |
| summary |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2733 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12651 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12873 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12924 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12727 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12807 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12857 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12823 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12787 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12643 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2733 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2733, GHSA-fjf4-6f34-w64q
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m3uj-4mag-kbf2 |
|
| 44 |
| url |
VCID-mku9-3bpp-aqbk |
| vulnerability_id |
VCID-mku9-3bpp-aqbk |
| summary |
Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references.
### Original Description
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-83j7-mhw9-388w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mku9-3bpp-aqbk |
|
| 45 |
| url |
VCID-n76a-pfh2-57bn |
| vulnerability_id |
VCID-n76a-pfh2-57bn |
| summary |
Duplicate Advisory: Keycloak has a brute force login protection bypass
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references.
## Original Description
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 20 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 21 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 22 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 23 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 24 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 25 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 26 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 27 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 28 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 29 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 30 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 31 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.4 |
|
|
| aliases |
GHSA-8wm9-24qg-m5qj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n76a-pfh2-57bn |
|
| 46 |
| url |
VCID-nhe2-8dtq-gqbf |
| vulnerability_id |
VCID-nhe2-8dtq-gqbf |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39708 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39721 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39743 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39661 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.3973 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39739 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39703 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39687 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39737 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 20 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 22 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 23 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 24 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 25 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 26 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 27 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 28 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 29 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 30 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 31 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 32 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 33 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 34 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 35 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 36 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 37 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 38 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 39 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 40 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 41 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 42 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 43 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 44 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
| 45 |
| vulnerability |
VCID-zp22-a33x-bqfq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 20 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 22 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 23 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 24 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 25 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 26 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 27 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 28 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 29 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 30 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 31 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 32 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 33 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 34 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 35 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 36 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 37 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 38 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 39 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 40 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 41 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 42 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 43 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.3 |
|
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhe2-8dtq-gqbf |
|
| 47 |
| url |
VCID-nxhc-rp71-hbdk |
| vulnerability_id |
VCID-nxhc-rp71-hbdk |
| summary |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references.
### Original Description
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
GHSA-gj52-35xm-gxjh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nxhc-rp71-hbdk |
|
| 48 |
| url |
VCID-pjgz-fa5h-tkfh |
| vulnerability_id |
VCID-pjgz-fa5h-tkfh |
| summary |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10175 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10175 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10176 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10176 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10177 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10177 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10178 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10178 |
|
| 4 |
|
| 5 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-10270 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-10270 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-10270 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25053 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25107 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25064 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25133 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25056 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25148 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37311 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37216 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37165 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37337 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-10270 |
|
| 7 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2321214 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2321214 |
|
| 8 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 4 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 5 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 6 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 7 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 8 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 15 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 16 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 17 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 18 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 19 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 20 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 21 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.6 |
|
|
| aliases |
CVE-2024-10270, GHSA-wq8x-cg39-8mrr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pjgz-fa5h-tkfh |
|
| 49 |
| url |
VCID-qexf-7axp-9kas |
| vulnerability_id |
VCID-qexf-7axp-9kas |
| summary |
Improper Certificate Validation
It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10894 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1731 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1705 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17045 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17107 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17167 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17215 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17237 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17089 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1718 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17088 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1726 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10894 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@4.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-services@4.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-4p6v-j4up-2ye2 |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 26 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 27 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 28 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 29 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 30 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 31 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 32 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 33 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 34 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 35 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 36 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 37 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 38 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 39 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 40 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 41 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 42 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 43 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 44 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 45 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 46 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 47 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 48 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 49 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 50 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 51 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 52 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 53 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 54 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 55 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 56 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 57 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 58 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 59 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 60 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 61 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 62 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 63 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 64 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 65 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 66 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 67 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 68 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 69 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 70 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 71 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@4.4.0.Final |
|
|
| aliases |
CVE-2018-10894, GHSA-xvv8-8wh9-9fh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qexf-7axp-9kas |
|
| 50 |
| url |
VCID-qgbq-s33g-d7af |
| vulnerability_id |
VCID-qgbq-s33g-d7af |
| summary |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3429 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13935 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16588 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16727 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16706 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16989 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19006 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19091 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19038 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18994 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3429 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3429, GHSA-8g9r-9wjw-37j4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qgbq-s33g-d7af |
|
| 51 |
| url |
VCID-r5g8-gcss-zuh4 |
| vulnerability_id |
VCID-r5g8-gcss-zuh4 |
| summary |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients
When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3883 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3883 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3884 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3884 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3885 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3885 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3888 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3888 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2023:3892 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2023:3892 |
|
| 5 |
|
| 6 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-2422 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-2422 |
|
| 7 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-2422 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52724 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52682 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52708 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52674 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52719 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52769 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52752 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00294 |
| scoring_system |
epss |
| scoring_elements |
0.52736 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00323 |
| scoring_system |
epss |
| scoring_elements |
0.55376 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00323 |
| scoring_system |
epss |
| scoring_elements |
0.55372 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-2422 |
|
| 8 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2191668 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-03T18:15:34Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2191668 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 20 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 21 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 22 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 23 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 24 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 25 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 26 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 27 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 28 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 29 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 30 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 31 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 32 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 33 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 34 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 35 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 36 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 37 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 38 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 39 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 40 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 41 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 42 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 43 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 44 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 45 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 46 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.1.2 |
|
|
| aliases |
CVE-2023-2422, GHSA-3qh5-qqj2-c78f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r5g8-gcss-zuh4 |
|
| 52 |
| url |
VCID-rrkd-31d4-9yaq |
| vulnerability_id |
VCID-rrkd-31d4-9yaq |
| summary |
Keycloak vulnerable to LDAP Injection on UsernameForm Login
A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2232 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00083 |
| scoring_system |
epss |
| scoring_elements |
0.24445 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00083 |
| scoring_system |
epss |
| scoring_elements |
0.24479 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29831 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29826 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29888 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29924 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29929 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29883 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29834 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29852 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2232 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 20 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 22 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 23 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 24 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 25 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 26 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 27 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 28 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 29 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 30 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 31 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 32 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 33 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 34 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 35 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 36 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 37 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 38 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 39 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 40 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 41 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 42 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 43 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.1 |
|
|
| aliases |
CVE-2022-2232, GHSA-8hc5-rmgf-qx6p
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rrkd-31d4-9yaq |
|
| 53 |
| url |
VCID-rssz-yqj9-b7h8 |
| vulnerability_id |
VCID-rssz-yqj9-b7h8 |
| summary |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14366 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59715 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59676 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.5969 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.5971 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59693 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59674 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59707 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59557 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59631 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59656 |
| published_at |
2026-04-04T12:55:00Z |
|
| 10 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59625 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14366 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 26 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 27 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 28 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 29 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 30 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 31 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 32 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 33 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 34 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 35 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 36 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 37 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 38 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 39 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 40 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 41 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 42 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 43 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 44 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 45 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 46 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 47 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 48 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 49 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 50 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 54 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 55 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 56 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 57 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 58 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 59 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 60 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 61 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 62 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 63 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 64 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 65 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 66 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 67 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@12.0.0 |
|
|
| aliases |
CVE-2020-14366, GHSA-cp67-8w3w-6h9c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rssz-yqj9-b7h8 |
|
| 54 |
| url |
VCID-scdf-8m3d-vqff |
| vulnerability_id |
VCID-scdf-8m3d-vqff |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1245 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62253 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62087 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62148 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62179 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62147 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62197 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62215 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62233 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62222 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62201 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62246 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1245 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@18.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 4 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 5 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 6 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 7 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 8 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 9 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 10 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 11 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 12 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 13 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 14 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 15 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 16 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 17 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 18 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 19 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 20 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 21 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 22 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 23 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 24 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 25 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 26 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 27 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 28 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 29 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 30 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 31 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 32 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 35 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 36 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 37 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 38 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 39 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 40 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 41 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 42 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 43 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 44 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 45 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 46 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 47 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 48 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 49 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 50 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 51 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 52 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@18.0.0 |
|
|
| aliases |
CVE-2022-1245, GHSA-75p6-52g3-rqc8, GMS-2022-1039
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-scdf-8m3d-vqff |
|
| 55 |
| url |
VCID-sgbm-r5mm-sbbx |
| vulnerability_id |
VCID-sgbm-r5mm-sbbx |
| summary |
Keycloak path traversal vulnerability in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
#### Acknowledgements:
Special thanks to Axel Flamcourt for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1860 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1860 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1861 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1861 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1862 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1862 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1864 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1864 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1866 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1866 |
|
| 5 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 6 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 7 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:2945 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:2945 |
|
| 8 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3752 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3752 |
|
| 9 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3762 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3762 |
|
| 10 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3919 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3919 |
|
| 11 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3989 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3989 |
|
| 12 |
|
| 13 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-1132 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-1132 |
|
| 14 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1132 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00251 |
| scoring_system |
epss |
| scoring_elements |
0.48439 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00251 |
| scoring_system |
epss |
| scoring_elements |
0.4846 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55624 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55559 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55611 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55612 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55621 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.556 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55583 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1132 |
|
| 15 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 |
|
| 16 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-1132, GHSA-72vp-xfrc-42xm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sgbm-r5mm-sbbx |
|
| 56 |
| url |
VCID-sk6p-vfu6-7kem |
| vulnerability_id |
VCID-sk6p-vfu6-7kem |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50621 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50518 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50573 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.5057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50612 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50589 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50574 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50616 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50481 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50537 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50565 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 26 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 27 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 28 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 29 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 30 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 31 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 32 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 33 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 34 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 35 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 36 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 37 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 38 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 39 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 40 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 41 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 42 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 43 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 44 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 45 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 46 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 47 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 48 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 49 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 50 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 54 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 55 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 56 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 57 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 58 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 59 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 60 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 61 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 62 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 63 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 64 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 65 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 66 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 67 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@12.0.0 |
|
|
| aliases |
CVE-2020-10776, GHSA-484q-784p-8m5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sk6p-vfu6-7kem |
|
| 57 |
| url |
VCID-th5p-51pd-3ffg |
| vulnerability_id |
VCID-th5p-51pd-3ffg |
| summary |
Improper privilege management in Keycloak
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35326 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35321 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35299 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35337 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35177 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35378 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35403 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35285 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35331 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35356 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35358 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d1ua-u2v7-jqf8 |
|
| 26 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 27 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 28 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 29 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 30 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 31 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 32 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 33 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 34 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 35 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 36 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 37 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 38 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 39 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 40 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 41 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 42 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 43 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 44 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 45 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 46 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 47 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 48 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 49 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 50 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 54 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 55 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 56 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 57 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 58 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 59 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 60 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 61 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 62 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 63 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 64 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 65 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 66 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 67 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@12.0.0 |
|
|
| aliases |
CVE-2020-14389, GHSA-c9x9-xv66-xp3v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-th5p-51pd-3ffg |
|
| 58 |
| url |
VCID-u5ba-kpd5-67bm |
| vulnerability_id |
VCID-u5ba-kpd5-67bm |
| summary |
Keycloak discloses information without authentication
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27838 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.9936 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99357 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99356 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99355 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99354 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99349 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99353 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.85144 |
| scoring_system |
epss |
| scoring_elements |
0.99352 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27838 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 4 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 5 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 6 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 7 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 8 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 9 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 10 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 11 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 12 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 13 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 14 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 15 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 16 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 17 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 18 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 19 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 20 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 21 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 22 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 23 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 24 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 25 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 26 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 27 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 28 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 29 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 30 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 31 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 32 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 33 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 34 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 35 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 36 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 37 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 38 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 39 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 40 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 41 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 42 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 43 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 44 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 45 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 46 |
| vulnerability |
VCID-u3tj-vmem-jbb9 |
|
| 47 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 48 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 49 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 50 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 51 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 52 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 53 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 54 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 55 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 56 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 57 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 58 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 59 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@13.0.0 |
|
|
| aliases |
CVE-2020-27838, GHSA-pcv5-m2wh-66j3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u5ba-kpd5-67bm |
|
| 59 |
| url |
VCID-uuf2-u7xh-uuef |
| vulnerability_id |
VCID-uuf2-u7xh-uuef |
| summary |
Keycloak does not invalidate offline sessions when the offline_access scope is removed
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12110 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17422 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17639 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17685 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17403 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17495 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17556 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17569 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17522 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17469 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17411 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12110 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-12110, GHSA-895x-rfqp-jh5c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uuf2-u7xh-uuef |
|
| 60 |
| url |
VCID-v7r6-3873-77dc |
| vulnerability_id |
VCID-v7r6-3873-77dc |
| summary |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references.
## Original Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 28 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
GHSA-4vrx-8phj-x3mg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v7r6-3873-77dc |
|
| 61 |
| url |
VCID-ver5-9t6m-c3ef |
| vulnerability_id |
VCID-ver5-9t6m-c3ef |
| summary |
Keycloak Admin REST API exposes backend schema and rules
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14083 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10165 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.1077 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10994 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10819 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10894 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10947 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10948 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10915 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10893 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10758 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14083 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14083, GHSA-594w-2fwp-jwrc
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ver5-9t6m-c3ef |
|
| 62 |
| url |
VCID-vstv-ec14-quc5 |
| vulnerability_id |
VCID-vstv-ec14-quc5 |
| summary |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wq8x-cg39-8mrr. This link is maintained to preserve external references.
## Original Description
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 4 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 5 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 6 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 7 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 8 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 15 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 16 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 17 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 18 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 19 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 20 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 21 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.6 |
|
|
| aliases |
GHSA-j3x3-r585-4qhg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vstv-ec14-quc5 |
|
| 63 |
| url |
VCID-w5f1-xryr-fucq |
| vulnerability_id |
VCID-w5f1-xryr-fucq |
| summary |
Keycloak does not validate and update refresh token usage atomically
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1035 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01222 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01204 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01219 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01228 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01234 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01237 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0122 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01214 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01216 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01209 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1035 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1035, GHSA-m2w5-7xhv-w6fh
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w5f1-xryr-fucq |
|
| 64 |
| url |
VCID-whsx-d6an-hkdm |
| vulnerability_id |
VCID-whsx-d6an-hkdm |
| summary |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).
Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.
#### Acknowledgements:
Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1353 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1353 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:2945 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:2945 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:4057 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:4057 |
|
| 5 |
|
| 6 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6717 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6717 |
|
| 7 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6717 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22709 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22752 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22695 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22712 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22791 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.2322 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23263 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23306 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23096 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23169 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6717 |
|
| 8 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6717, GHSA-8rmm-gm28-pj8q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-whsx-d6an-hkdm |
|
| 65 |
| url |
VCID-x4aw-v76q-vbdc |
| vulnerability_id |
VCID-x4aw-v76q-vbdc |
| summary |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12150 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01605 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01613 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01619 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.0162 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01627 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01604 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01603 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01591 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12150 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-12150, GHSA-7g5x-9c4v-4w5r
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x4aw-v76q-vbdc |
|
| 66 |
| url |
VCID-xd7x-aevv-cfcp |
| vulnerability_id |
VCID-xd7x-aevv-cfcp |
| summary |
Keycloak: Denial of Service due to excessive SAMLRequest decompression
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2575 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08376 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08475 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08531 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08449 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08523 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08543 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08537 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08517 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08501 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08393 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2575 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2575, GHSA-xv6h-r36f-3gp5
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xd7x-aevv-cfcp |
|
| 67 |
| url |
VCID-xdxx-tdkj-wbba |
| vulnerability_id |
VCID-xdxx-tdkj-wbba |
| summary |
Improper Certificate Validation
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.488 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48704 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48759 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48756 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48773 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48747 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48755 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48804 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48685 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48724 |
| published_at |
2026-04-02T12:55:00Z |
|
| 10 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.4875 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 26 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 27 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 28 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 29 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 30 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 31 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 32 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 33 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 34 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 35 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 36 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 37 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 38 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 39 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 40 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 41 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 42 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 43 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 44 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 45 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 46 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 47 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 48 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 49 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 50 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 51 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 52 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 53 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 54 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 55 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 56 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 57 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 58 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 59 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 60 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 61 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 62 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 63 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 64 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 65 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 66 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 67 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 68 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@10.0.0 |
|
|
| aliases |
CVE-2020-1758, GHSA-c597-f74m-jgc2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xdxx-tdkj-wbba |
|
| 68 |
| url |
VCID-xfnw-15sz-zyfr |
| vulnerability_id |
VCID-xfnw-15sz-zyfr |
| summary |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14082 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01382 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01613 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01605 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01607 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01604 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.021 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02131 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02116 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02111 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02087 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14082 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14082, GHSA-6q37-7866-h27j
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xfnw-15sz-zyfr |
|
| 69 |
| url |
VCID-xunx-3k8h-g7ar |
| vulnerability_id |
VCID-xunx-3k8h-g7ar |
| summary |
JBoss KeyCloak Open Redirect
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2014-3652 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44612 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.4456 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44582 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.4452 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44571 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44576 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44592 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44563 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44564 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.4462 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44491 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2014-3652 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@1.1.0.Beta1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@1.1.0.Beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 2 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 3 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 4 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 5 |
| vulnerability |
VCID-3bcu-tbpy-gfg6 |
|
| 6 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 7 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 8 |
| vulnerability |
VCID-44rr-5gtu-bfev |
|
| 9 |
| vulnerability |
VCID-4p6v-j4up-2ye2 |
|
| 10 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 11 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 12 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 13 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 14 |
| vulnerability |
VCID-6s4w-hv7a-ffaw |
|
| 15 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 16 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 17 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 18 |
| vulnerability |
VCID-98yf-g4d3-u3g8 |
|
| 19 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 20 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 21 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 22 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 23 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 24 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 25 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 26 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 27 |
| vulnerability |
VCID-djwn-hkwg-g3gk |
|
| 28 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 29 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 30 |
| vulnerability |
VCID-e9qa-sy57-fqby |
|
| 31 |
| vulnerability |
VCID-em5z-nvqy-fucp |
|
| 32 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 33 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 34 |
| vulnerability |
VCID-gjy5-c6by-2ufg |
|
| 35 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 36 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 37 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 38 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 39 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 40 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 41 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 42 |
| vulnerability |
VCID-kzc8-pgz7-6bep |
|
| 43 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 44 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 45 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 46 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 47 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 48 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 49 |
| vulnerability |
VCID-qexf-7axp-9kas |
|
| 50 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 51 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 52 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 53 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 54 |
| vulnerability |
VCID-scdf-8m3d-vqff |
|
| 55 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 56 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 57 |
| vulnerability |
VCID-th5p-51pd-3ffg |
|
| 58 |
| vulnerability |
VCID-u5ba-kpd5-67bm |
|
| 59 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 60 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 61 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 62 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 63 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 64 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 65 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 66 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 67 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 68 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 69 |
| vulnerability |
VCID-xy58-u3se-wfdb |
|
| 70 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 71 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 72 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@1.1.0.Beta1 |
|
|
| aliases |
CVE-2014-3652, GHSA-5r7w-pjx8-99qg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xunx-3k8h-g7ar |
|
| 70 |
| url |
VCID-xy58-u3se-wfdb |
| vulnerability_id |
VCID-xy58-u3se-wfdb |
| summary |
Keycloak vulnerable to user impersonation via stolen UUID code
Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0264 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88345 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88353 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88343 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88337 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88299 |
| published_at |
2026-04-02T12:55:00Z |
|
| 5 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88355 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88358 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88317 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.03942 |
| scoring_system |
epss |
| scoring_elements |
0.88313 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0264 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@19.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@19.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-2xyb-g3n4-n3ca |
|
| 3 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 4 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 5 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 6 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 7 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 8 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 9 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 10 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 11 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 12 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 13 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 14 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 15 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 16 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 17 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 18 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 19 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 20 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 21 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 22 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 23 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 24 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 25 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 26 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 27 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 28 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 29 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 30 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 31 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 32 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 33 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 34 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 35 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 36 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 37 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 38 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 39 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 40 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 41 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 42 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 43 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 44 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 45 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 46 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 47 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 48 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 49 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 50 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 51 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@19.0.0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@21.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@21.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-83en-fek9-4qd7 |
|
| 10 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 11 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 12 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 13 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 14 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 15 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 16 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 17 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 18 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 19 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 20 |
| vulnerability |
VCID-engr-q4ge-53dc |
|
| 21 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 22 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 23 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 24 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 25 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 26 |
| vulnerability |
VCID-jh5h-pp29-1kbr |
|
| 27 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 28 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 29 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 30 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 31 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 32 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 33 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 34 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 35 |
| vulnerability |
VCID-r5g8-gcss-zuh4 |
|
| 36 |
| vulnerability |
VCID-rrkd-31d4-9yaq |
|
| 37 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 38 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 39 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 40 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 41 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 42 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 43 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 44 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 45 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 46 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 47 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 48 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 49 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@21.0.1 |
|
|
| aliases |
CVE-2023-0264, GHSA-9g98-5mj6-f9mv, GMS-2023-573
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xy58-u3se-wfdb |
|
| 71 |
| url |
VCID-y1h3-yyn9-53fr |
| vulnerability_id |
VCID-y1h3-yyn9-53fr |
| summary |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2603 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.3858 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38518 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38504 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38495 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38444 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38556 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45478 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45429 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45482 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2603 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2603, GHSA-x4p7-7chp-64hq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y1h3-yyn9-53fr |
|
| 72 |
| url |
VCID-ysyw-rgyv-bkhj |
| vulnerability_id |
VCID-ysyw-rgyv-bkhj |
| summary |
Keycloak Services has a potential bypass of brute force protection
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6493 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6493 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6494 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6494 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6495 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6495 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6497 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6497 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6499 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6499 |
|
| 5 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6500 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6500 |
|
| 6 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6501 |
|
| 7 |
|
| 8 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-4629 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-4629 |
|
| 9 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4629 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.78008 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77923 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77951 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77933 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.7796 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77964 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77991 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77975 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77973 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.78009 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4629 |
|
| 10 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 |
|
| 11 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.4 |
|
|
| aliases |
CVE-2024-4629, GHSA-gc7q-jgjv-vjr2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ysyw-rgyv-bkhj |
|
| 73 |
| url |
VCID-z2bw-n4x2-a7gj |
| vulnerability_id |
VCID-z2bw-n4x2-a7gj |
| summary |
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
#### Acknowledgements
Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1249 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38284 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38318 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38282 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38257 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38304 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.39001 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.39019 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.39004 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.38952 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.3902 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1249 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-1249, GHSA-m6q9-p373-g5q8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z2bw-n4x2-a7gj |
|