Search for vulnerabilities
Vulnerability details: VCID-4wff-yxx3-fudx
Vulnerability ID VCID-4wff-yxx3-fudx
Aliases GHSA-m98g-63qj-fp8j
GMS-2022-1097
Summary Reflected XSS on clients-registrations endpoint A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. ### Acknowledgement Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-m98g-63qj-fp8j
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1_qr MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
generic_textual MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
Reference id Reference type URL
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
GHSA-m98g-63qj-fp8j https://github.com/advisories/GHSA-m98g-63qj-fp8j
No exploits are available.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-07-31T08:59:41.982286+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-m98g-63qj-fp8j/GHSA-m98g-63qj-fp8j.json 37.0.0