CVE-2026-33506— DOM-Based XSS in Ory Polis Login Page
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33506
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
DOM-Based XSS in Ory Polis Login Page
Source: NVD (National Vulnerability Database)
Vulnerability Description
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
替代XSS语法转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ory polis 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ory polis是Ory开源的一个开源的企业单点登录与目录同步解决方案。 Ory Polis 26.2.0之前版本存在输入验证错误漏洞,该漏洞源于对URL参数callbackUrl信任不当,可能导致基于DOM的跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33506
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 5764 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-33506
请登录查看更多情报信息。
- Release Release v26.2.0 · ory/polis · GitHubx_refsource_MISC
- DOM-Based XSS in Ory Polis Login Page · Advisory · ory/polis · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-33506
Same Patch Batch · ory · 2026-03-26 · 7 CVEs total
| CVE-2026-33494 | 10.0 CRITICAL | Ory Oathkeeper has a path traversal authorization bypass |
| CVE-2026-33496 | 8.1 HIGH | Ory Oathkeeper has an authentication bypass by cache key confusion |
| CVE-2026-33503 | 7.2 HIGH | Ory Kratos has a SQL injection via forged pagination tokens |
| CVE-2026-33504 | 7.2 HIGH | Ory Hydra has a SQL injection via forged pagination tokens |
| CVE-2026-33505 | 7.2 HIGH | Ory Keto has a SQL injection via forged pagination tokens |
| CVE-2026-33495 | 6.5 MEDIUM | Ory Oathkeeper has an authentication bypass by usage of untrusted header |
IV. Related Vulnerabilities
Same vendor: ory
- CVE-2026-33505
Ory Keto has a SQL injection via forged pagination tokens - CVE-2026-33504
Ory Hydra has a SQL injection via forged pagination tokens - CVE-2026-33503
Ory Kratos has a SQL injection via forged pagination tokens - CVE-2026-33496
Ory Oathkeeper has an authentication bypass by cache key con - CVE-2026-33495
Ory Oathkeeper has an authentication bypass by usage of untr
Same weakness: CWE-87
- CVE-2026-42235
n8n: XSS via MCP OAuth client - CVE-2026-40321
DotNetNuke.Core has stored cross-site-scripting (XSS) via SV - CVE-2025-14732
Elementor Website Builder <= 3.35.5 - Authenticated (Contrib - CVE-2026-22711
Stored XSS through system messages in WikiLove - CVE-2026-33510
DOM-Based XSS in Homarr /auth/login Redirect
V. Comments for CVE-2026-33506
No comments yet