| 0 |
| url |
VCID-13dn-ke8h-67ez |
| vulnerability_id |
VCID-13dn-ke8h-67ez |
| summary |
Insufficient Session Expiration
A flaw was found in Keycloak. This flaw allows a malicious user that is currently logged-in, to see the personal information of a previously logged-out user in the account manager section. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1724 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33175 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33256 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33293 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33277 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1724 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 15 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 16 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 17 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 18 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 19 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 20 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 21 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 22 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 23 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 24 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 25 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 26 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 27 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 28 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 29 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 30 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 31 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 32 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 33 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 34 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.2 |
|
|
| aliases |
CVE-2020-1724, GHSA-8xj2-47xw-q78c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-13dn-ke8h-67ez |
|
| 1 |
| url |
VCID-2ba6-j1fs-2kfc |
| vulnerability_id |
VCID-2ba6-j1fs-2kfc |
| summary |
arbitrary code execution |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@11.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@11.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 9 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 10 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 11 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 12 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 13 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 14 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 15 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 16 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 17 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 18 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 19 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 20 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 21 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 22 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 23 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 24 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 25 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 26 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 27 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 28 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 29 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 30 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 31 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@11.0.0 |
|
|
| aliases |
CVE-2020-1714, GHSA-m6mm-q862-j366
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2ba6-j1fs-2kfc |
|
| 2 |
| url |
VCID-2qmw-afpp-7qa8 |
| vulnerability_id |
VCID-2qmw-afpp-7qa8 |
| summary |
Improper Authentication
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1718 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58966 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58922 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.5897 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58974 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1718 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2020-1718, GHSA-j229-2h63-rvh9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2qmw-afpp-7qa8 |
|
| 3 |
| url |
VCID-361y-pegm-gqbs |
| vulnerability_id |
VCID-361y-pegm-gqbs |
| summary |
Improper authorization in Keycloak
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1466 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36403 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36373 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36411 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36309 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1466 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-1466, GHSA-f32v-vf79-p29q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-361y-pegm-gqbs |
|
| 4 |
| url |
VCID-3kg4-uvgq-5khf |
| vulnerability_id |
VCID-3kg4-uvgq-5khf |
| summary |
Server-Side Request Forgery (SSRF)
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the `OIDC` parameter `request_uri`. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 2 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 3 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 4 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 5 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 6 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 7 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 8 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 9 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 10 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 11 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 12 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 13 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 14 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 15 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 16 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 17 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 18 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 19 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 20 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 21 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 22 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 23 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 24 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 25 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 26 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 27 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.2 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-10770, GHSA-jh7q-5mwf-qvhw
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3kg4-uvgq-5khf |
|
| 5 |
| url |
VCID-5zh6-37gp-pbas |
| vulnerability_id |
VCID-5zh6-37gp-pbas |
| summary |
Improper Authentication
The SAML broker consumer endpoint in Keycloak ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14637 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00301 |
| scoring_system |
epss |
| scoring_elements |
0.53727 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00301 |
| scoring_system |
epss |
| scoring_elements |
0.53672 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00301 |
| scoring_system |
epss |
| scoring_elements |
0.5373 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00301 |
| scoring_system |
epss |
| scoring_elements |
0.53739 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14637 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 10 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 11 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 12 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 13 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 14 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 15 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 16 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 17 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 18 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 19 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 20 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 21 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 22 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 23 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 24 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 25 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 26 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 27 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 28 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 29 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 30 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 31 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 32 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 33 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 34 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 35 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 36 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 37 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 38 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 39 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 40 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 41 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 42 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 43 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 44 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 45 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 46 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@4.6.0.Final |
|
|
| aliases |
CVE-2018-14637, GHSA-gf2j-7qwg-4f5x
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5zh6-37gp-pbas |
|
| 6 |
| url |
VCID-7662-z35s-9qeq |
| vulnerability_id |
VCID-7662-z35s-9qeq |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.4212 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42063 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42137 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42148 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-3513, GHSA-xv7h-95r7-595j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7662-z35s-9qeq |
|
| 7 |
| url |
VCID-7pje-w98s-9ueg |
| vulnerability_id |
VCID-7pje-w98s-9ueg |
| summary |
Keycloak Denial of Service vulnerability
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 |
|
| 3 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
| reference_id |
CVE-2023-6841 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-01T20:20:35Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6841 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6841, GHSA-w97f-w3hq-36g2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7pje-w98s-9ueg |
|
| 8 |
| url |
VCID-8jvu-59r6-rygw |
| vulnerability_id |
VCID-8jvu-59r6-rygw |
| summary |
Keycloak Open Redirect vulnerability
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.
Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301875 |
|
| 5 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
| reference_id |
CVE-2024-7260 |
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:13:21Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7260 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7260, GHSA-g4gc-rh26-m3p5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8jvu-59r6-rygw |
|
| 9 |
|
| 10 |
| url |
VCID-9719-srgk-33dh |
| vulnerability_id |
VCID-9719-srgk-33dh |
| summary |
Improper Certificate Validation
The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (`http` or `ldap`) and hence the caller should verify the signature and possibly the certification path. Keycloak currently does not validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3875 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.15116 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.15078 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.15163 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00047 |
| scoring_system |
epss |
| scoring_elements |
0.15154 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3875 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 16 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 17 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 18 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 19 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 20 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 21 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 22 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 23 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 24 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 25 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 26 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 27 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 28 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 29 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 30 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 31 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 32 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 33 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 34 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 35 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 36 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 37 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 38 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 39 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 40 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 41 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 42 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-3875, GHSA-38cg-gg9j-q9j9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9719-srgk-33dh |
|
| 11 |
| url |
VCID-9cgx-nsyr-gyc3 |
| vulnerability_id |
VCID-9cgx-nsyr-gyc3 |
| summary |
Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown
### Summary
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
### Impact
Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.
### References
- Please refer to the Keycloak Security mailing list for more information. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-755v-r4x4-qf7m, GMS-2022-7509
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| url |
VCID-9kte-cfz7-hqa3 |
| vulnerability_id |
VCID-9kte-cfz7-hqa3 |
| summary |
Improper Certificate Validation
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.49 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48946 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.49007 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.49016 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 10 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 11 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 12 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 13 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 14 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 15 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 16 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 17 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 18 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 19 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 20 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 21 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 22 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 23 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 24 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 25 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 26 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 27 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 28 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 29 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 30 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 31 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 32 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@10.0.0 |
|
|
| aliases |
CVE-2020-1758, GHSA-c597-f74m-jgc2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9kte-cfz7-hqa3 |
|
| 13 |
| url |
VCID-9wq8-wqya-87dw |
| vulnerability_id |
VCID-9wq8-wqya-87dw |
| summary |
Execution with Unnecessary Privileges
A flaw was found in Keycloak where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27826 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37386 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37322 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37413 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00166 |
| scoring_system |
epss |
| scoring_elements |
0.37418 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-27826 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 9 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 10 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 11 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 12 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 13 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 14 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 15 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 16 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 17 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 18 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 19 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 20 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 21 |
| vulnerability |
VCID-pu4g-rbu2-nbdb |
|
| 22 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 23 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 24 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 25 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 26 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 27 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 28 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 29 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-27826, GHSA-m9cj-v55f-8x26
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9wq8-wqya-87dw |
|
| 14 |
| url |
VCID-asw1-xz83-tqb3 |
| vulnerability_id |
VCID-asw1-xz83-tqb3 |
| summary |
Information Exposure
It was found that while parsing the SAML messages the `StaxParserUtil` class of keycloak replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request `ID` field to be the chosen system property which could be obtained in the `InResponseTo` field in the response. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2582 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70685 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70652 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70695 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00629 |
| scoring_system |
epss |
| scoring_elements |
0.70702 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2582 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 25 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 26 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 27 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 28 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 31 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 34 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 35 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 36 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 37 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 38 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 39 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 40 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 41 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 42 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 43 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 44 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 45 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 46 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 47 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 48 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 49 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 50 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 51 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 52 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
|
|
| aliases |
CVE-2017-2582, GHSA-c77r-6f64-478q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-asw1-xz83-tqb3 |
|
| 15 |
| url |
VCID-azxv-y5rj-vkg9 |
| vulnerability_id |
VCID-azxv-y5rj-vkg9 |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45523 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45543 |
| published_at |
2026-06-06T12:55:00Z |
|
| 2 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45539 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.4547 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azxv-y5rj-vkg9 |
|
| 16 |
| url |
VCID-cg94-7n2h-7fac |
| vulnerability_id |
VCID-cg94-7n2h-7fac |
| summary |
Improper Input Validation
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10199 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.2643 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26379 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26421 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00095 |
| scoring_system |
epss |
| scoring_elements |
0.26326 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10199 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 16 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 17 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 18 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 19 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 20 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 21 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 22 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 23 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 24 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 25 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 26 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 27 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 28 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 29 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 30 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 31 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 32 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 33 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 34 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 35 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 36 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 37 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 38 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 39 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 40 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 41 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 42 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-10199, GHSA-p5xp-6vpf-jwvh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cg94-7n2h-7fac |
|
| 17 |
| url |
VCID-ch1b-adh9-skah |
| vulnerability_id |
VCID-ch1b-adh9-skah |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00993 |
| scoring_system |
epss |
| scoring_elements |
0.77252 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00993 |
| scoring_system |
epss |
| scoring_elements |
0.77282 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00993 |
| scoring_system |
epss |
| scoring_elements |
0.77293 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00993 |
| scoring_system |
epss |
| scoring_elements |
0.77283 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-1274 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-1274, GHSA-m4fv-gm5m-4725, GMS-2023-528
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ch1b-adh9-skah |
|
| 18 |
|
| 19 |
| url |
VCID-cwqj-tnbj-3ubh |
| vulnerability_id |
VCID-cwqj-tnbj-3ubh |
| summary |
Information Exposure
A logged exception in the `HttpMethod` class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1698 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16134 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16104 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16187 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16178 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1698 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 20 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 21 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 22 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 23 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 24 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 25 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 26 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 27 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 28 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 29 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 30 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 31 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 32 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 33 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 34 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 35 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 36 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.0 |
|
|
| aliases |
CVE-2020-1698, GHSA-qgmm-f2qw-r95f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cwqj-tnbj-3ubh |
|
| 20 |
| url |
VCID-cxx9-9gwy-xyb6 |
| vulnerability_id |
VCID-cxx9-9gwy-xyb6 |
| summary |
certificate verification bypass |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-35509 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25004 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.24972 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25068 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00087 |
| scoring_system |
epss |
| scoring_elements |
0.25057 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-35509 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 9 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 10 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 11 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 12 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 13 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 14 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 15 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 16 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 17 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 18 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 19 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@14.0.0 |
|
|
| aliases |
CVE-2020-35509, GHSA-rpj2-w6fr-79hc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| url |
VCID-d5ev-gcfy-6ke1 |
| vulnerability_id |
VCID-d5ev-gcfy-6ke1 |
| summary |
Keycloak allows cross-site scripting (XSS)
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-4028, GHSA-q4xq-445g-g6ch
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| url |
VCID-dc8s-fqv5-1uhk |
| vulnerability_id |
VCID-dc8s-fqv5-1uhk |
| summary |
Improper Privilege Management
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35063 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.3499 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35086 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00148 |
| scoring_system |
epss |
| scoring_elements |
0.35101 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14389 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 9 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 10 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 11 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 12 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 13 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 14 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 15 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 16 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 17 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 18 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 19 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 20 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 21 |
| vulnerability |
VCID-pu4g-rbu2-nbdb |
|
| 22 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 23 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 24 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 25 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 26 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 27 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 28 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 29 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-14389, GHSA-c9x9-xv66-xp3v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dc8s-fqv5-1uhk |
|
| 23 |
| url |
VCID-djda-aqxt-s3e9 |
| vulnerability_id |
VCID-djda-aqxt-s3e9 |
| summary |
Information Exposure
Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.51192 |
| published_at |
2026-06-06T12:55:00Z |
|
| 1 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.5117 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.51125 |
| published_at |
2026-06-04T12:55:00Z |
|
| 3 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.51187 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-3868 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@6.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@6.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 10 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 11 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 12 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 13 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 14 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 15 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 16 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 17 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 18 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 19 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 20 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 21 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 22 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 23 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 24 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 25 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 26 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 27 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 28 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 29 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 30 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 31 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 32 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 33 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 34 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 35 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 36 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 37 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 38 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 39 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 40 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 41 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 42 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 43 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 44 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 45 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@6.0.0 |
|
|
| aliases |
CVE-2019-3868, GHSA-gc52-xj6p-9pxp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-djda-aqxt-s3e9 |
|
| 24 |
| url |
VCID-ek3f-9qnu-27gv |
| vulnerability_id |
VCID-ek3f-9qnu-27gv |
| summary |
Information Exposure
Keycloak has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2585 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71795 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71773 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71813 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00671 |
| scoring_system |
epss |
| scoring_elements |
0.71819 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2585 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 25 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 26 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 27 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 28 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 31 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 34 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 35 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 36 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 37 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 38 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 39 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 40 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 41 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 42 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 43 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 44 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 45 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 46 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 47 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 48 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 49 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 50 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 51 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 52 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.1.Final |
|
|
| aliases |
CVE-2017-2585, GHSA-w6gv-3r3v-gwgj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ek3f-9qnu-27gv |
|
| 25 |
| url |
VCID-fh1s-1jqa-3bgp |
| vulnerability_id |
VCID-fh1s-1jqa-3bgp |
| summary |
Improper Certificate Validation
It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10894 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17391 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17355 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17432 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17427 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10894 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-39am-wkz3-8ubu |
|
| 5 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 6 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 7 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 8 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 9 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 10 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 11 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 12 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 13 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 14 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 27 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 28 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 29 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 30 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 31 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 32 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 33 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 34 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 35 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 36 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 37 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 38 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 39 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 40 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 41 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 42 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 43 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 44 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 45 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 46 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 47 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 48 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 49 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.4.3.Final |
|
|
| aliases |
CVE-2018-10894, GHSA-xvv8-8wh9-9fh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fh1s-1jqa-3bgp |
|
| 26 |
| url |
VCID-g9qz-99pv-9bgw |
| vulnerability_id |
VCID-g9qz-99pv-9bgw |
| summary |
URL Redirection to Untrusted Site (Open Redirect)
The Redirect URL for both Login and Logout are not normalized in `org.keycloak.protocol.oidc.utils.RedirectUtils` before the redirect url is verified. This can lead to an Open Redirection attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14658 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47274 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47225 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47289 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.0024 |
| scoring_system |
epss |
| scoring_elements |
0.47292 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14658 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 27 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 28 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 29 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 30 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 31 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 32 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 33 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 34 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 35 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 36 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 37 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 38 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 39 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 40 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 41 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 42 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 43 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 44 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 45 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 46 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 47 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 48 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 49 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 50 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.3.0.CR1 |
|
|
| aliases |
CVE-2018-14658, GHSA-3qh2-mccc-q5m6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9qz-99pv-9bgw |
|
| 27 |
| url |
VCID-gr2e-ntp4-9fdg |
| vulnerability_id |
VCID-gr2e-ntp4-9fdg |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.29814 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.29745 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.29778 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.29746 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-1725, GHSA-p225-pc2x-4jpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gr2e-ntp4-9fdg |
|
| 28 |
| url |
VCID-h539-621j-d7bn |
| vulnerability_id |
VCID-h539-621j-d7bn |
| summary |
Use of Insufficiently Random Values
A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1731 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.60332 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.60295 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.60342 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00389 |
| scoring_system |
epss |
| scoring_elements |
0.60344 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1731 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 20 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 21 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 22 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 23 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 24 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 25 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 26 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 27 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 28 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 29 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 30 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 31 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 32 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 33 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 34 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 35 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 36 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 37 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.2 |
|
|
| aliases |
CVE-2020-1731, GHSA-6pmv-7pr9-cgrj
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h539-621j-d7bn |
|
| 29 |
| url |
VCID-hdx2-k9s5-zqff |
| vulnerability_id |
VCID-hdx2-k9s5-zqff |
| summary |
Loop with Unreachable Exit Condition ('Infinite Loop')
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10912 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.6512 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.65079 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.65121 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00474 |
| scoring_system |
epss |
| scoring_elements |
0.65132 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10912 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-39am-wkz3-8ubu |
|
| 5 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 6 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 7 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 8 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 9 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 10 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 11 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 12 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 13 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 14 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 27 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 28 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 29 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 30 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 31 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 32 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 33 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 34 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 35 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 36 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 37 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 38 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 39 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 40 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 41 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 42 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 43 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 44 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 45 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 46 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 47 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 48 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@4.0.0.Final |
|
|
| aliases |
CVE-2018-10912, GHSA-h7j7-pw3v-3v3x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdx2-k9s5-zqff |
|
| 30 |
| url |
VCID-hjue-s41w-bye9 |
| vulnerability_id |
VCID-hjue-s41w-bye9 |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.35824 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3592 |
| published_at |
2026-06-05T12:55:00Z |
|
| 2 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3593 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00154 |
| scoring_system |
epss |
| scoring_elements |
0.3589 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14302 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-14302
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hjue-s41w-bye9 |
|
| 31 |
|
| 32 |
| url |
VCID-jbzy-b52n-4kcx |
| vulnerability_id |
VCID-jbzy-b52n-4kcx |
| summary |
cross-site scripting |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20195 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.54006 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.5406 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.54071 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00305 |
| scoring_system |
epss |
| scoring_elements |
0.54063 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20195 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 2 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 3 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 4 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 5 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 6 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 7 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 8 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 9 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 10 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 11 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 12 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 13 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 14 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 15 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 16 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 17 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 18 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 19 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 20 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 21 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 22 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 23 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 24 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 25 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 26 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.3 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20195, GHSA-q6w2-89hq-hq27
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jbzy-b52n-4kcx |
|
| 33 |
| url |
VCID-jm25-gtrc-zuhh |
| vulnerability_id |
VCID-jm25-gtrc-zuhh |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14483 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14523 |
| published_at |
2026-06-06T12:55:00Z |
|
| 2 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14519 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00046 |
| scoring_system |
epss |
| scoring_elements |
0.14449 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-20202 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2021-20202, GHSA-6xp6-fmc8-pmmr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jm25-gtrc-zuhh |
|
| 34 |
| url |
VCID-k6ct-rgvj-t3an |
| vulnerability_id |
VCID-k6ct-rgvj-t3an |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6134, GHSA-cvg2-7c3j-g36j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k6ct-rgvj-t3an |
|
| 35 |
| url |
VCID-m4fq-trvy-bub3 |
| vulnerability_id |
VCID-m4fq-trvy-bub3 |
| summary |
keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-14837, GHSA-cf8f-w2c5-p5jr
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m4fq-trvy-bub3 |
|
| 36 |
| url |
VCID-mkkw-kxbq-7yhg |
| vulnerability_id |
VCID-mkkw-kxbq-7yhg |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
When Keycloak receives a Logout request in the middle of the request, the `SAMLSloRequestParser.parse()` method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2646 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66483 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66451 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66491 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66499 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-2646 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 25 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 26 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 27 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 28 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 29 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 30 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 31 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 32 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 33 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 34 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 35 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 36 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 37 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 38 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 39 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 40 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 41 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 42 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 43 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 44 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 45 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 46 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 47 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 48 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 49 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 50 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 51 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.5.5.Final |
|
|
| aliases |
CVE-2017-2646, GHSA-jc6q-27mw-p55w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mkkw-kxbq-7yhg |
|
| 37 |
| url |
VCID-mwdj-rztg-pfgf |
| vulnerability_id |
VCID-mwdj-rztg-pfgf |
| summary |
keycloak-core: open redirect via "form_post.jwt" JARM response mode
An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-9vm7-v8wj-3fqw, GMS-2024-51
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mwdj-rztg-pfgf |
|
| 38 |
|
| 39 |
| url |
VCID-p1cj-f4de-1qc4 |
| vulnerability_id |
VCID-p1cj-f4de-1qc4 |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10170 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.73372 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.73345 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.73381 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00742 |
| scoring_system |
epss |
| scoring_elements |
0.73387 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10170 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-10170, GHSA-7m27-3587-83xf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p1cj-f4de-1qc4 |
|
| 40 |
| url |
VCID-prsa-264j-mfah |
| vulnerability_id |
VCID-prsa-264j-mfah |
| summary |
Improper Authentication
It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the `<Signature>` sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10201 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33235 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33155 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33258 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00136 |
| scoring_system |
epss |
| scoring_elements |
0.33272 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-10201 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@7.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 16 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 17 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 18 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 19 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 20 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 21 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 22 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 23 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 24 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 25 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 26 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 27 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 28 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 29 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 30 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 31 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 32 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 33 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 34 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 35 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 36 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 37 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 38 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 39 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 40 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 41 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 42 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@7.0.0 |
|
|
| aliases |
CVE-2019-10201, GHSA-4fgq-gq9g-3rw7
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-prsa-264j-mfah |
|
| 41 |
|
| 42 |
| url |
VCID-rhrz-f6tf-tkhu |
| vulnerability_id |
VCID-rhrz-f6tf-tkhu |
| summary |
Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references.
# Original Description
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.
A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
GHSA-57rh-gr4v-j5f6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rhrz-f6tf-tkhu |
|
| 43 |
| url |
VCID-u8yn-1j1n-gbhu |
| vulnerability_id |
VCID-u8yn-1j1n-gbhu |
| summary |
Moderate severity vulnerability that affects org.keycloak:keycloak-core
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8629 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43933 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43917 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43941 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00213 |
| scoring_system |
epss |
| scoring_elements |
0.43863 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8629 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 37 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 38 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 39 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 40 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 41 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 42 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 43 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 44 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 45 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 46 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 47 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 48 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 49 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 50 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 51 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 52 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 53 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 54 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.4.0.Final |
|
|
| aliases |
CVE-2016-8629, GHSA-778x-2mqv-w6xw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u8yn-1j1n-gbhu |
|
| 44 |
| url |
VCID-vgbc-v44r-vugq |
| vulnerability_id |
VCID-vgbc-v44r-vugq |
| summary |
Weak Password Recovery Mechanism for Forgotten Password
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12161 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51542 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51497 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51558 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00279 |
| scoring_system |
epss |
| scoring_elements |
0.51564 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12161 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 15 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 16 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 17 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 18 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 19 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 20 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 21 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 22 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 23 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 24 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 25 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 26 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 27 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 28 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 29 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 30 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 31 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 32 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 33 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 34 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 35 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 36 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 37 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 38 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 39 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 40 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 41 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 42 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 43 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 44 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 45 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 46 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 47 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 48 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 49 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@3.4.2.Final |
|
|
| aliases |
CVE-2017-12161, GHSA-959q-32g8-vvp7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vgbc-v44r-vugq |
|
| 45 |
| url |
VCID-vs8q-ywf1-3qa2 |
| vulnerability_id |
VCID-vs8q-ywf1-3qa2 |
| summary |
keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58772 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58728 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58775 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.5878 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3856 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 9 |
| vulnerability |
VCID-dvk9-qsq9-4uc3 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 15 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 16 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 17 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 18 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@15.1.0 |
|
|
| aliases |
CVE-2021-3856, GHSA-3w4v-rvc4-2xpw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vs8q-ywf1-3qa2 |
|
| 46 |
| url |
VCID-wgzd-wv2e-pyhy |
| vulnerability_id |
VCID-wgzd-wv2e-pyhy |
| summary |
Improper Restriction of Rendered UI Layers or Frames
A vulnerability was found in all versions of Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1728 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32481 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.3248 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32552 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.3252 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1728 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 10 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 11 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 12 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 13 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 14 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 15 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 16 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 17 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 18 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 19 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 20 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 21 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 22 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 23 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 24 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 25 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 26 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 27 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 28 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 29 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 30 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 31 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 32 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@10.0.0 |
|
|
| aliases |
CVE-2020-1728, GHSA-3gg7-9q2x-79fc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wgzd-wv2e-pyhy |
|
| 47 |
| url |
VCID-wt2c-cyu2-kbgm |
| vulnerability_id |
VCID-wt2c-cyu2-kbgm |
| summary |
multiple issues |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@13.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 2 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 3 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 4 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 5 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 6 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 7 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 8 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 9 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 10 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 11 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 12 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 13 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 14 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 15 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 16 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 17 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 18 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 19 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 20 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@13.0.0 |
|
|
| aliases |
CVE-2020-27838, GHSA-pcv5-m2wh-66j3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wt2c-cyu2-kbgm |
|
| 48 |
| url |
VCID-wuh8-4akm-2uae |
| vulnerability_id |
VCID-wuh8-4akm-2uae |
| summary |
Cross-site Scripting
In Keycloak, links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1697 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51969 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.5192 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.5198 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00283 |
| scoring_system |
epss |
| scoring_elements |
0.51989 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1697 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 5 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 6 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 7 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 8 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 9 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 10 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 11 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 12 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 13 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 14 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 20 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 21 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 22 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 23 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 24 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 25 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 26 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 27 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 28 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 29 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 30 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 31 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 32 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 33 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 34 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 35 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 36 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.0 |
|
|
| aliases |
CVE-2020-1697, GHSA-8vf3-4w62-m3pq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wuh8-4akm-2uae |
|
| 49 |
| url |
VCID-x4z9-b3qr-fybk |
| vulnerability_id |
VCID-x4z9-b3qr-fybk |
| summary |
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-10039, GHSA-93ww-43rr-79v3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x4z9-b3qr-fybk |
|
| 50 |
| url |
VCID-x8bu-57yh-kbex |
| vulnerability_id |
VCID-x8bu-57yh-kbex |
| summary |
Improper Authentication
It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8609 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35176 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35103 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35198 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00149 |
| scoring_system |
epss |
| scoring_elements |
0.35213 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-8609 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-2qmw-afpp-7qa8 |
|
| 3 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 4 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 5 |
| vulnerability |
VCID-5zh6-37gp-pbas |
|
| 6 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 7 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 8 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 9 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 10 |
| vulnerability |
VCID-9719-srgk-33dh |
|
| 11 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 12 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 13 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 14 |
| vulnerability |
VCID-asw1-xz83-tqb3 |
|
| 15 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 16 |
| vulnerability |
VCID-cg94-7n2h-7fac |
|
| 17 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 18 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 19 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 20 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 21 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 22 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 23 |
| vulnerability |
VCID-djda-aqxt-s3e9 |
|
| 24 |
| vulnerability |
VCID-ek3f-9qnu-27gv |
|
| 25 |
| vulnerability |
VCID-fh1s-1jqa-3bgp |
|
| 26 |
| vulnerability |
VCID-g9qz-99pv-9bgw |
|
| 27 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 28 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 29 |
| vulnerability |
VCID-hdx2-k9s5-zqff |
|
| 30 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 31 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 32 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 33 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 34 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 35 |
| vulnerability |
VCID-m4fq-trvy-bub3 |
|
| 36 |
| vulnerability |
VCID-mkkw-kxbq-7yhg |
|
| 37 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 38 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 39 |
| vulnerability |
VCID-p1cj-f4de-1qc4 |
|
| 40 |
| vulnerability |
VCID-prsa-264j-mfah |
|
| 41 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 42 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 43 |
| vulnerability |
VCID-u8yn-1j1n-gbhu |
|
| 44 |
| vulnerability |
VCID-vgbc-v44r-vugq |
|
| 45 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 46 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 47 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 48 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 49 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 50 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 51 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 52 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 53 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 54 |
| vulnerability |
VCID-zfgf-9455-d3fe |
|
| 55 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@2.3.0.Final |
|
|
| aliases |
CVE-2016-8609, GHSA-95m6-mjh3-58gm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x8bu-57yh-kbex |
|
| 51 |
| url |
VCID-xbkp-kjgd-fqcx |
| vulnerability_id |
VCID-xbkp-kjgd-fqcx |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbkp-kjgd-fqcx |
|
| 52 |
| url |
VCID-xvvs-ttw1-wkbt |
| vulnerability_id |
VCID-xvvs-ttw1-wkbt |
| summary |
Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6502 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6502 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6503 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6503 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 |
|
| 5 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
| reference_id |
CVE-2024-7318 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T19:08:16Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-7318 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7318, GHSA-xmmm-jw76-q7vg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xvvs-ttw1-wkbt |
|
| 53 |
| url |
VCID-y9de-4w6u-abfa |
| vulnerability_id |
VCID-y9de-4w6u-abfa |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50785 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50741 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50801 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50807 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 1 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 2 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 3 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 4 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 5 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 6 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 7 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 8 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 9 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 10 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 11 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 12 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 13 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 14 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 15 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 16 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 17 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 18 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 19 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 20 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 21 |
| vulnerability |
VCID-pu4g-rbu2-nbdb |
|
| 22 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 23 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 24 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 25 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 26 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 27 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 28 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 29 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@12.0.0 |
|
|
| aliases |
CVE-2020-10776, GHSA-484q-784p-8m5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y9de-4w6u-abfa |
|
| 54 |
| url |
VCID-zabp-1j4k-9bf8 |
| vulnerability_id |
VCID-zabp-1j4k-9bf8 |
| summary |
Keycloak vulnerable to untrusted certificate validation
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-1664 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48927 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48999 |
| published_at |
2026-06-06T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48981 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48989 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-1664 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-1664, GHSA-5cc8-pgp5-7mpm, GHSA-c892-cwq6-qrqf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zabp-1j4k-9bf8 |
|
| 55 |
| url |
VCID-zfgf-9455-d3fe |
| vulnerability_id |
VCID-zfgf-9455-d3fe |
| summary |
Information Exposure
It was found that keycloak exposes internal adapter endpoints in `org.keycloak.constants.AdapterConstants`, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-core@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13dn-ke8h-67ez |
|
| 1 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 2 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 3 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cwqj-tnbj-3ubh |
|
| 15 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 16 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 17 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 18 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 19 |
| vulnerability |
VCID-h539-621j-d7bn |
|
| 20 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 21 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 22 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 23 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 24 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 25 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 26 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 27 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 28 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 29 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 30 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 31 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 32 |
| vulnerability |
VCID-wuh8-4akm-2uae |
|
| 33 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 34 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 35 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 36 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 37 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
| 38 |
| vulnerability |
VCID-zkxq-ejyr-8ba8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@8.0.0 |
|
|
| aliases |
CVE-2019-14820, GHSA-xfqh-7356-vqjj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zfgf-9455-d3fe |
|
| 56 |
| url |
VCID-zkxq-ejyr-8ba8 |
| vulnerability_id |
VCID-zkxq-ejyr-8ba8 |
| summary |
Improper Handling of Exceptional Conditions
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1744 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.40975 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.40948 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.40979 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00192 |
| scoring_system |
epss |
| scoring_elements |
0.40898 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1744 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-core@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2ba6-j1fs-2kfc |
|
| 1 |
| vulnerability |
VCID-361y-pegm-gqbs |
|
| 2 |
| vulnerability |
VCID-3kg4-uvgq-5khf |
|
| 3 |
| vulnerability |
VCID-6gee-p7fr-1yhy |
|
| 4 |
| vulnerability |
VCID-7662-z35s-9qeq |
|
| 5 |
| vulnerability |
VCID-7pje-w98s-9ueg |
|
| 6 |
| vulnerability |
VCID-8jvu-59r6-rygw |
|
| 7 |
| vulnerability |
VCID-8ze1-r95u-xbg8 |
|
| 8 |
| vulnerability |
VCID-9cgx-nsyr-gyc3 |
|
| 9 |
| vulnerability |
VCID-9kte-cfz7-hqa3 |
|
| 10 |
| vulnerability |
VCID-9wq8-wqya-87dw |
|
| 11 |
| vulnerability |
VCID-azxv-y5rj-vkg9 |
|
| 12 |
| vulnerability |
VCID-ch1b-adh9-skah |
|
| 13 |
| vulnerability |
VCID-crj8-4jaa-yyes |
|
| 14 |
| vulnerability |
VCID-cxx9-9gwy-xyb6 |
|
| 15 |
| vulnerability |
VCID-d5ev-gcfy-6ke1 |
|
| 16 |
| vulnerability |
VCID-dc8s-fqv5-1uhk |
|
| 17 |
| vulnerability |
VCID-gr2e-ntp4-9fdg |
|
| 18 |
| vulnerability |
VCID-hjue-s41w-bye9 |
|
| 19 |
| vulnerability |
VCID-hxup-rgnc-mqbp |
|
| 20 |
| vulnerability |
VCID-jbzy-b52n-4kcx |
|
| 21 |
| vulnerability |
VCID-jm25-gtrc-zuhh |
|
| 22 |
| vulnerability |
VCID-k6ct-rgvj-t3an |
|
| 23 |
| vulnerability |
VCID-mwdj-rztg-pfgf |
|
| 24 |
| vulnerability |
VCID-nkbw-r99s-n3fc |
|
| 25 |
| vulnerability |
VCID-qjhb-ubp5-ukdy |
|
| 26 |
| vulnerability |
VCID-rhrz-f6tf-tkhu |
|
| 27 |
| vulnerability |
VCID-vs8q-ywf1-3qa2 |
|
| 28 |
| vulnerability |
VCID-wgzd-wv2e-pyhy |
|
| 29 |
| vulnerability |
VCID-wt2c-cyu2-kbgm |
|
| 30 |
| vulnerability |
VCID-x4z9-b3qr-fybk |
|
| 31 |
| vulnerability |
VCID-xbkp-kjgd-fqcx |
|
| 32 |
| vulnerability |
VCID-xvvs-ttw1-wkbt |
|
| 33 |
| vulnerability |
VCID-y9de-4w6u-abfa |
|
| 34 |
| vulnerability |
VCID-zabp-1j4k-9bf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-core@9.0.2 |
|
|
| aliases |
CVE-2020-1744, GHSA-4gf2-xv97-63m2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zkxq-ejyr-8ba8 |
|