| 0 |
| url |
VCID-14c3-xa9j-mbab |
| vulnerability_id |
VCID-14c3-xa9j-mbab |
| summary |
Incorrect implementation of lockout feature in Keycloak
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42201 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42238 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42214 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42189 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42225 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42174 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42156 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42216 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.42207 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00201 |
| scoring_system |
epss |
| scoring_elements |
0.4213 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3513 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-3513, GHSA-xv7h-95r7-595j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-14c3-xa9j-mbab |
|
| 1 |
| url |
VCID-3248-31p8-tyd4 |
| vulnerability_id |
VCID-3248-31p8-tyd4 |
| summary |
Incorrect Authorization
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3011 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30188 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30272 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3009 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.3015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30186 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30145 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30193 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30095 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00115 |
| scoring_system |
epss |
| scoring_elements |
0.30223 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1725 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-1725, GHSA-p225-pc2x-4jpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3248-31p8-tyd4 |
|
| 2 |
| url |
VCID-3jpe-awam-wqdz |
| vulnerability_id |
VCID-3jpe-awam-wqdz |
| summary |
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-0707 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.0828 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08127 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08233 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08251 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.0827 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08195 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08248 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.08196 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00029 |
| scoring_system |
epss |
| scoring_elements |
0.0826 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-0707 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-0707, GHSA-gv94-wp4h-vv8p
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3jpe-awam-wqdz |
|
| 3 |
| url |
VCID-6ure-3hgz-xfgn |
| vulnerability_id |
VCID-6ure-3hgz-xfgn |
| summary |
Authentication Bypass by Primary Weakness
A vulnerability was found in all versions of keycloak, where on using lower case HTTP headers (via cURL) we can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14359 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49288 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49183 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49215 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49243 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49194 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49249 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49246 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49263 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49236 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00259 |
| scoring_system |
epss |
| scoring_elements |
0.49241 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14359 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-14359, GHSA-jh6m-3pqw-242h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6ure-3hgz-xfgn |
|
| 4 |
| url |
VCID-78nt-79j3-k3fh |
| vulnerability_id |
VCID-78nt-79j3-k3fh |
| summary |
Cross-site Scripting
When using `response_mode=form_post` it is possible to inject arbitrary Javascript-Code via the `state`-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14655 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44728 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44694 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44631 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44682 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44684 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44701 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44671 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44672 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44593 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.0022 |
| scoring_system |
epss |
| scoring_elements |
0.44673 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14655 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@4.0.0.Beta3 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@4.0.0.Beta3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 5 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 6 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 7 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 8 |
| vulnerability |
VCID-evqq-d8uz-9be1 |
|
| 9 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 10 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 11 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 12 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 13 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 14 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 15 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 16 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 17 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 18 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 19 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 20 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 21 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@4.0.0.Beta3 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-parent@4.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-parent@4.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 5 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 6 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 7 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 8 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 9 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 10 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 11 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 12 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 13 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 14 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 15 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 16 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 17 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 18 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 19 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 20 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@4.4.0.Final |
|
|
| aliases |
CVE-2018-14655, GHSA-458h-wv48-fq75
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-78nt-79j3-k3fh |
|
| 5 |
| url |
VCID-7z49-f322-n7g8 |
| vulnerability_id |
VCID-7z49-f322-n7g8 |
| summary |
Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console
An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2668 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64733 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.6467 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64698 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64656 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64704 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64719 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64736 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64724 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.64696 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2668 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-2668, GHSA-wf7g-7h6h-678v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7z49-f322-n7g8 |
|
| 6 |
| url |
VCID-8zrg-f41g-pqfk |
| vulnerability_id |
VCID-8zrg-f41g-pqfk |
| summary |
ECP SAML binding bypasses authentication flows
### Description
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3827 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43248 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.4328 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.4326 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43247 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43259 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43294 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43233 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43196 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.43174 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00208 |
| scoring_system |
epss |
| scoring_elements |
0.4323 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3827 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-3827, GHSA-4pc7-vqv5-5r3v, GMS-2022-1098
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8zrg-f41g-pqfk |
|
| 7 |
| url |
VCID-9bn2-agpc-hfdz |
| vulnerability_id |
VCID-9bn2-agpc-hfdz |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12158 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71232 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71325 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71239 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71257 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71279 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71294 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.7131 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71231 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71287 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.71273 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12158 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2017-12158 |
| reference_id |
CVE-2017-12158 |
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:M/Au:S/C:N/I:P/A:N |
|
| 1 |
| value |
5.4 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2017-12158 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-parent@3.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-parent@3.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-78nt-79j3-k3fh |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 7 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 8 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 9 |
| vulnerability |
VCID-evqq-d8uz-9be1 |
|
| 10 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 11 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 14 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 15 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 16 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 17 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 18 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 19 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 20 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 21 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 22 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@3.4.0.Final |
|
|
| aliases |
CVE-2017-12158, GHSA-v38p-mqq3-m6v5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9bn2-agpc-hfdz |
|
| 8 |
| url |
VCID-cabc-jrpz-vuad |
| vulnerability_id |
VCID-cabc-jrpz-vuad |
| summary |
Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality.
### CVSS 3.1 - **3.8**
**Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
**Vector Clarification:**
* User interaction is not required as the admin console is regularly used during an administrator's work
* The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes
### Credits
Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2256 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.75421 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.7538 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.75391 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.75413 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.7536 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.75393 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.75383 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.7534 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00882 |
| scoring_system |
epss |
| scoring_elements |
0.75328 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2256 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-2256, GHSA-w9mf-83w3-fv49
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cabc-jrpz-vuad |
|
| 9 |
| url |
VCID-dxj3-8sk5-mfdy |
| vulnerability_id |
VCID-dxj3-8sk5-mfdy |
| summary |
Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45481 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45418 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45438 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45382 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45437 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45458 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.45428 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00226 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3916 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dxj3-8sk5-mfdy |
|
| 10 |
| url |
VCID-evqq-d8uz-9be1 |
| vulnerability_id |
VCID-evqq-d8uz-9be1 |
| summary |
Improper Authentication
When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14657 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58545 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58505 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58476 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58528 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58534 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58551 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58532 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58512 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58399 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00365 |
| scoring_system |
epss |
| scoring_elements |
0.58485 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-14657 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@4.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-parent@4.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 5 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 6 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 7 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 8 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 9 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 10 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 11 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 12 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 13 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 14 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 15 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 16 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 17 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 18 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 19 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 20 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@4.4.0.Final |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-parent@4.6.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-parent@4.6.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 5 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 6 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 7 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 8 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 9 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 10 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 11 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 12 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 13 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 14 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 15 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 16 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 17 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 18 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 19 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 20 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@4.6.0.Final |
|
|
| aliases |
CVE-2018-14657, GHSA-85v8-vx4w-q684
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-evqq-d8uz-9be1 |
|
| 11 |
| url |
VCID-f763-ps3s-b3ep |
| vulnerability_id |
VCID-f763-ps3s-b3ep |
| summary |
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12159 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69163 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69059 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69075 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69097 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69078 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69128 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69147 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69169 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69153 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00588 |
| scoring_system |
epss |
| scoring_elements |
0.69124 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12159 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2017-12159 |
| reference_id |
CVE-2017-12159 |
| reference_type |
|
| scores |
| 0 |
| value |
5.0 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:L/Au:N/C:P/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2017-12159 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-parent@3.4.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-parent@3.4.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-78nt-79j3-k3fh |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 7 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 8 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 9 |
| vulnerability |
VCID-evqq-d8uz-9be1 |
|
| 10 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 11 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 14 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 15 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 16 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 17 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 18 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 19 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 20 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 21 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 22 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@3.4.0.Final |
|
|
| aliases |
CVE-2017-12159, GHSA-7fmw-85qm-h22p
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f763-ps3s-b3ep |
|
| 12 |
| url |
VCID-f8mj-85vd-2yh5 |
| vulnerability_id |
VCID-f8mj-85vd-2yh5 |
| summary |
Allocation of Resources Without Limits or Throttling
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10758 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67241 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.6717 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67194 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67221 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67234 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67254 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.6724 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67207 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00529 |
| scoring_system |
epss |
| scoring_elements |
0.67133 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10758 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@11.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@11.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 4 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8cmx-d3j7-vqbz |
|
| 7 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 8 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 11 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 12 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 13 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 14 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 15 |
| vulnerability |
VCID-umcf-t6w5-juha |
|
| 16 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 17 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@11.0.1 |
|
|
| aliases |
CVE-2020-10758, GHSA-52rg-hpwq-qp56
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f8mj-85vd-2yh5 |
|
| 13 |
| url |
VCID-gjzp-cqhp-augx |
| vulnerability_id |
VCID-gjzp-cqhp-augx |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10748 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57788 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57783 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57786 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57802 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.5778 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57759 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57649 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57734 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57755 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00354 |
| scoring_system |
epss |
| scoring_elements |
0.57728 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10748 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@10.0.2 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@10.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 4 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8cmx-d3j7-vqbz |
|
| 7 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 8 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 11 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 12 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 13 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 14 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 15 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 16 |
| vulnerability |
VCID-umcf-t6w5-juha |
|
| 17 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 18 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@10.0.2 |
|
|
| aliases |
CVE-2020-10748, GHSA-hgpg-593r-hhvp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gjzp-cqhp-augx |
|
| 14 |
| url |
VCID-gndk-728r-9yh7 |
| vulnerability_id |
VCID-gndk-728r-9yh7 |
| summary |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66117 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66129 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.6611 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66098 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66012 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66123 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66087 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66049 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66083 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00503 |
| scoring_system |
epss |
| scoring_elements |
0.66055 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3632 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-3632, GHSA-qpq9-jpv4-6gwr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gndk-728r-9yh7 |
|
| 15 |
| url |
VCID-jkh6-bvx2-dycm |
| vulnerability_id |
VCID-jkh6-bvx2-dycm |
| summary |
Keycloak Server-Side Request Forgery (SSRF) vulnerability
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1518 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01411 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01396 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01406 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.014 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01412 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01561 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01581 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01572 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1518 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1518, GHSA-fwhw-chw4-gh37
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jkh6-bvx2-dycm |
|
| 16 |
| url |
VCID-jprv-e2zb-v7bb |
| vulnerability_id |
VCID-jprv-e2zb-v7bb |
| summary |
Generation of Error Message Containing Sensitive Information
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1717 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40068 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40075 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40076 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.39997 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.4005 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40064 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40038 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.39902 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40018 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00183 |
| scoring_system |
epss |
| scoring_elements |
0.40049 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1717 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 5 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 6 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 7 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 8 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 9 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 10 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 11 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 12 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 13 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 14 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 15 |
| vulnerability |
VCID-umcf-t6w5-juha |
|
| 16 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 17 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 18 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 19 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@8.0.0 |
|
|
| aliases |
CVE-2020-1717, GHSA-rvfc-g8j5-9ccf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jprv-e2zb-v7bb |
|
| 17 |
| url |
VCID-mumt-rvzk-w7d4 |
| vulnerability_id |
VCID-mumt-rvzk-w7d4 |
| summary |
Improper Authentication
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1718 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.5867 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58653 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58659 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58677 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58658 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58638 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58526 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.5861 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58631 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.58601 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1718 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@8.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@8.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 5 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 6 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 7 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 8 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 9 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 10 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 11 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 12 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 13 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 14 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 15 |
| vulnerability |
VCID-umcf-t6w5-juha |
|
| 16 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 17 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 18 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 19 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@8.0.0 |
|
|
| aliases |
CVE-2020-1718, GHSA-j229-2h63-rvh9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mumt-rvzk-w7d4 |
|
| 18 |
| url |
VCID-nhe2-8dtq-gqbf |
| vulnerability_id |
VCID-nhe2-8dtq-gqbf |
| summary |
URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39737 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39721 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39743 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39661 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.3973 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39739 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39703 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00181 |
| scoring_system |
epss |
| scoring_elements |
0.39687 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6291 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-6291, GHSA-mpwq-j3xf-7m5w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nhe2-8dtq-gqbf |
|
| 19 |
| url |
VCID-rssz-yqj9-b7h8 |
| vulnerability_id |
VCID-rssz-yqj9-b7h8 |
| summary |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14366 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59707 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59625 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59676 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.5969 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.5971 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59693 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59674 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59557 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59631 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00384 |
| scoring_system |
epss |
| scoring_elements |
0.59656 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14366 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-14366, GHSA-cp67-8w3w-6h9c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rssz-yqj9-b7h8 |
|
| 20 |
| url |
VCID-sk6p-vfu6-7kem |
| vulnerability_id |
VCID-sk6p-vfu6-7kem |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50616 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50565 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50518 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50573 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.5057 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50612 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50589 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50574 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50481 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50537 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-10776 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-10776, GHSA-484q-784p-8m5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sk6p-vfu6-7kem |
|
| 21 |
| url |
VCID-w7ds-xt1u-9uf9 |
| vulnerability_id |
VCID-w7ds-xt1u-9uf9 |
| summary |
Improper Authentication
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12160 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68668 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68563 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68582 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.686 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68577 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68629 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68647 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68671 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00571 |
| scoring_system |
epss |
| scoring_elements |
0.68658 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-12160 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@3.3.0.Final |
| purl |
pkg:maven/org.keycloak/keycloak-parent@3.3.0.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-78nt-79j3-k3fh |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 7 |
| vulnerability |
VCID-9bn2-agpc-hfdz |
|
| 8 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-evqq-d8uz-9be1 |
|
| 11 |
| vulnerability |
VCID-f763-ps3s-b3ep |
|
| 12 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 13 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 14 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 15 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 16 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 17 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 18 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 19 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 20 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 21 |
| vulnerability |
VCID-w7ds-xt1u-9uf9 |
|
| 22 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 23 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 24 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 25 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@3.3.0.Final |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-parent@3.4.0.CR1 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@3.4.0.CR1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 4 |
| vulnerability |
VCID-78nt-79j3-k3fh |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 7 |
| vulnerability |
VCID-9bn2-agpc-hfdz |
|
| 8 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-evqq-d8uz-9be1 |
|
| 11 |
| vulnerability |
VCID-f763-ps3s-b3ep |
|
| 12 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 13 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 14 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 15 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 16 |
| vulnerability |
VCID-jprv-e2zb-v7bb |
|
| 17 |
| vulnerability |
VCID-mumt-rvzk-w7d4 |
|
| 18 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 19 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 20 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 21 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 22 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
| 23 |
| vulnerability |
VCID-xdxx-tdkj-wbba |
|
| 24 |
| vulnerability |
VCID-yk5u-7cuz-7kdt |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@3.4.0.CR1 |
|
|
| aliases |
CVE-2017-12160, GHSA-qc72-gfvw-76h7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w7ds-xt1u-9uf9 |
|
| 22 |
| url |
VCID-xauc-r9cm-sycu |
| vulnerability_id |
VCID-xauc-r9cm-sycu |
| summary |
Keycloak vulnerable to path traversal via double URL encoding
Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3782 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.31077 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.3107 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.31042 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.31033 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.30988 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.31119 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.31166 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.31019 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.0012 |
| scoring_system |
epss |
| scoring_elements |
0.30985 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-3782 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-3782, GHSA-g8q8-fggx-9r3q, GMS-2022-8407
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xauc-r9cm-sycu |
|
| 23 |
| url |
VCID-xdfe-9zr4-47ax |
| vulnerability_id |
VCID-xdfe-9zr4-47ax |
| summary |
Allocation of Resources Without Limits or Throttling
A flaw was found in keycloak-model-infinispan in keycloak where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3637 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64501 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64475 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64491 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64506 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64495 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64467 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64383 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64437 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64468 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00468 |
| scoring_system |
epss |
| scoring_elements |
0.64427 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3637 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-3637, GHSA-2vp8-jv5v-6qh6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xdfe-9zr4-47ax |
|
| 24 |
| url |
VCID-xdxx-tdkj-wbba |
| vulnerability_id |
VCID-xdxx-tdkj-wbba |
| summary |
Improper Certificate Validation
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48804 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.4875 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48704 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48759 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48756 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48773 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48747 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48755 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48685 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00254 |
| scoring_system |
epss |
| scoring_elements |
0.48724 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1758 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 4 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8cmx-d3j7-vqbz |
|
| 7 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 8 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 11 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 14 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 15 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 16 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 17 |
| vulnerability |
VCID-umcf-t6w5-juha |
|
| 18 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 19 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@10.0.0 |
|
|
| aliases |
CVE-2020-1758, GHSA-c597-f74m-jgc2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xdxx-tdkj-wbba |
|
| 25 |
| url |
VCID-yk5u-7cuz-7kdt |
| vulnerability_id |
VCID-yk5u-7cuz-7kdt |
| summary |
Incorrect Permission Assignment for Critical Resource
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1694 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.51001 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50942 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50999 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50996 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.51039 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.51018 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50906 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.5096 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50985 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-1694 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-parent@10.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-parent@10.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-14c3-xa9j-mbab |
|
| 1 |
| vulnerability |
VCID-3248-31p8-tyd4 |
|
| 2 |
| vulnerability |
VCID-3jpe-awam-wqdz |
|
| 3 |
| vulnerability |
VCID-546n-kc1p-cyhm |
|
| 4 |
| vulnerability |
VCID-6ure-3hgz-xfgn |
|
| 5 |
| vulnerability |
VCID-7z49-f322-n7g8 |
|
| 6 |
| vulnerability |
VCID-8cmx-d3j7-vqbz |
|
| 7 |
| vulnerability |
VCID-8zrg-f41g-pqfk |
|
| 8 |
| vulnerability |
VCID-cabc-jrpz-vuad |
|
| 9 |
| vulnerability |
VCID-dxj3-8sk5-mfdy |
|
| 10 |
| vulnerability |
VCID-f8mj-85vd-2yh5 |
|
| 11 |
| vulnerability |
VCID-gjzp-cqhp-augx |
|
| 12 |
| vulnerability |
VCID-gndk-728r-9yh7 |
|
| 13 |
| vulnerability |
VCID-jkh6-bvx2-dycm |
|
| 14 |
| vulnerability |
VCID-nhe2-8dtq-gqbf |
|
| 15 |
| vulnerability |
VCID-rssz-yqj9-b7h8 |
|
| 16 |
| vulnerability |
VCID-sk6p-vfu6-7kem |
|
| 17 |
| vulnerability |
VCID-umcf-t6w5-juha |
|
| 18 |
| vulnerability |
VCID-xauc-r9cm-sycu |
|
| 19 |
| vulnerability |
VCID-xdfe-9zr4-47ax |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@10.0.0 |
|
|
| aliases |
CVE-2020-1694, GHSA-72j4-94rx-cr6w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yk5u-7cuz-7kdt |
|