Home / Vulnerability Intelligence / CVE-2026-33506

CVE-2026-33506 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 26, 2026

Ory Polis - Stored XSS

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Ory Polis < 26.2.0 contains a stored XSS caused by improper trust of the 'callbackUrl' parameter in login functionality, letting attackers execute arbitrary JavaScript in victim's browser, exploit requires victim to open crafted link and be authenticated or log in afterwards.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can execute arbitrary JavaScript in victim's browser, leading to credential theft and unauthorized actions.

Mitigation

Update to version 26.2.0 or later.

References

https://github.com/ory/polis/releases/tag/v26.2.0
https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33506
Severity: High
CVSS Score: 8.8
Type: stored_xss
Status: new

CWE

CWE-87

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L