Volerion logoVolerion
Volerion logoVolerion

WSO2 Identity Server Reflected Cross-Site Scripting Vulnerability in Authentication Endpoint

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the authentication endpoint of WSO2 Identity Server version 7.1.0. This issue arises from the endpoint's failure to properly validate and encode user-supplied input, allowing the injection of malicious JavaScript payloads. Exploitation of this vulnerability could enable an attacker to redirect users to malicious websites, alter web page user interfaces, access browser information, or perform other harmful actions. However, session-related cookies are protected with the httpOnly flag, preventing session hijacking.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

WSO2 Identity Server users can apply the public fix available on GitHub. Support subscription holders should update to version 7.1.0 Update Level 28.

Added: Apr 29, 2026, 9:24 AM
Updated: Apr 29, 2026, 9:24 AM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.7
exploitability
6.4
remediation
7.7
relevance
7.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.