GHSA-fq9h-c788-fx73
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fq9h-c788-fx73
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-fq9h-c788-fx73/GHSA-fq9h-c788-fx73.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fq9h-c788-fx73
- Aliases
-
- CVE-2026-44203
- Published
- 2026-06-22T20:11:49Z
- Modified
- 2026-06-22T20:30:08.386807704Z
- Severity
-
- 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
- Details
-
Summary
The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the
form_postresponse mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin. - Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2026-06-22T20:11:49Z", "cwe_ids": [ "CWE-79" ], "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
Maven / org.openidentityplatform.openam:openam-oauth2
Package
- Name
- org.openidentityplatform.openam:openam-oauth2
- View open source insights on deps.dev
- Purl
- pkg:maven/org.openidentityplatform.openam/openam-oauth2
Affected versions
14.*
14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2
14.7.3
14.7.4
14.8.1
14.8.2
14.8.3
14.8.4
15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.1.0
15.1.1
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.2.0
15.2.1
15.2.2
16.*
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.1.0