CVE-2026-37980EPSS p13.1%

CVE-2026-37980CVE-2026-37980

redhat / build_of_keycloak

Description

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

Scoring

CVSS 6.9 ()
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
EPSS0.23% probability of exploitation · percentile 13.1% · 2026-06-18T12:00:27Z
Last modified2026-06-02

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-37981
CVE
CVE-2026-37979
CVE
CVE-2026-37977
CVE
CVE-2026-37982
CVE
CVE-2026-9791
CVE
CVE-2026-7507
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.