Is org.openidentityplatform.openam:openam-oauth2 affected by CVE-2026-44203?

Maven org.openidentityplatform.openam:openam-oauth2 is affected in >= 13.0.0 < 16.1.1.

← All vulnerabilities

CRITICALSupply chain

CVE-2026-44203

Maven · org.openidentityplatform.openam:openam-oauth2

Summary

OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)

Advisory details

Summary

The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the form_post response mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin.

References

https://github.com/advisories/GHSA-fq9h-c788-fx73
https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-fq9h-c788-fx73
https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1

Related vulnerabilities

All Supply chain →

HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
MEDIUMGHSA-hvqh-jw65-wcpq
devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
HIGHGHSA-x975-rgx4-5fh4
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
MEDIUMCVE-2026-55877
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
HIGHCVE-2026-55692
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
MEDIUMCVE-2026-55650
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure