CVE-2026-33525

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33525
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33525.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33525
Aliases
Downstream
Related
Published
2026-03-26T19:22:57.418Z
Modified
2026-04-10T05:43:18.935681Z
Severity
  • 0.5 (Low) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U CVSS Calculator
Summary
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Details

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the script-src and connect-src directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the langauge cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33525.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/authelia/authelia

Affected ranges

Type
GIT
Repo
https://github.com/authelia/authelia
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b1d9a4905a7b35c3c283ee3aa08b6e5d862669c4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 4.39.15"
        }
    ]
}

Affected versions

v2.*
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v3.*
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.12.0
v3.13.0
v3.14.0
v3.15.0
v3.16.2
v3.2.0
v3.3.19
v3.4.0
v3.4.1
v3.4.2
v3.5.0
v3.6.0
v3.7.0
v3.7.1
v3.8.0
v3.8.2
v3.8.3
v4.*
v4.0.0
v4.0.0-alpha1
v4.0.0-alpha2
v4.1.0
v4.10.0
v4.11.0
v4.12.0
v4.13.0
v4.13.1
v4.14.0
v4.14.1
v4.14.2
v4.15.0
v4.15.1
v4.16.0
v4.17.0
v4.18.0
v4.18.1
v4.19.0
v4.19.1
v4.19.2
v4.2.0
v4.20.0
v4.21.0
v4.22.0
v4.23.0
v4.23.1
v4.23.2
v4.23.3
v4.24.0
v4.24.1
v4.25.0
v4.25.1
v4.25.2
v4.26.0
v4.26.1
v4.26.2
v4.27.0
v4.27.1
v4.27.2
v4.27.3
v4.27.4
v4.28.0
v4.28.1
v4.28.2
v4.29.0
v4.29.1
v4.29.2
v4.29.3
v4.29.4
v4.3.0
v4.30.0
v4.30.1
v4.30.2
v4.30.3
v4.30.4
v4.30.5
v4.31.0
v4.32.0
v4.32.1
v4.32.2
v4.33.0
v4.33.1
v4.33.2
v4.34.0
v4.34.1
v4.34.2
v4.34.3
v4.34.4
v4.34.5
v4.34.6
v4.35.0
v4.35.1
v4.35.2
v4.35.3
v4.35.4
v4.35.5
v4.35.6
v4.36.0
v4.36.1
v4.36.2
v4.36.3
v4.36.4
v4.36.5
v4.36.6
v4.36.7
v4.36.8
v4.36.9
v4.37.0
v4.37.1
v4.37.2
v4.37.3
v4.37.4
v4.37.5
v4.38.0
v4.38.1
v4.38.10
v4.38.11
v4.38.12
v4.38.13
v4.38.14
v4.38.15
v4.38.16
v4.38.17
v4.38.18
v4.38.19
v4.38.2
v4.38.3
v4.38.4
v4.38.5
v4.38.6
v4.38.7
v4.38.8
v4.38.9
v4.39.0
v4.39.1
v4.39.10
v4.39.11
v4.39.12
v4.39.13
v4.39.14
v4.39.15
v4.39.2
v4.39.3
v4.39.4
v4.39.5
v4.39.6
v4.39.7
v4.39.8
v4.39.9
v4.4.0
v4.5.0
v4.5.1
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.8.0
v4.9.0
v4.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33525.json"