Home / Vulnerability Intelligence / CVE-2026-33506

CVE-2026-33506 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 26, 2026

Ory Polis - Stored XSS

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Ory Polis < 26.2.0 contains a stored XSS caused by improper trust of the 'callbackUrl' parameter in login functionality, letting attackers execute arbitrary JavaScript in victim's browser, exploit requires victim to open crafted link and be authenticated or log in afterwards.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 6.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in victim's browser, leading to credential theft and unauthorized actions.

Mitigation

Update to version 26.2.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-33506 - High (8.8) Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The applica... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33506/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33506
Severity: High
CVSS Score: 8.8
Type: stored_xss
Status: new
EPSS: 6.7%
Social Posts: 1

CWE

CWE-87

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

EPSS Score

6.7%Probability of exploitation in the next 30 days