โ† ุงู„ุนูˆุฏุฉ ู„ู„ุฌุฏูˆู„
CVE-2026-42849
CVE-2026-42849 - authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover
๐Ÿ“… 2026-06-02
๐Ÿ”ด Critical ๐Ÿ”ฅ No MITRE CVE High Exploit Web

๐Ÿ“‹ ุงู„ูˆุตู ุงู„ูƒุงู…ู„

CVE ID :CVE-2026-42849 Published : June 2, 2026, 9:16 p.m. | 1ย hour, 9ย minutes ago Description :authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage.

๐Ÿ’ป ุงู„ุฃู†ุธู…ุฉ ุงู„ู…ุชุฃุซุฑุฉ

authentik: Reflected XSS

โš ๏ธ ู†ูˆุน ุงู„ุชู‡ุฏูŠุฏ

Exploit

๐Ÿ”— CVE ID

CVE-2026-42849

๐Ÿ“ก ุงู„ู…ุตุฏุฑ

MITRE CVE High

โœ… ุงู„ุญู„ูˆู„ ูˆุงู„ุชุฎููŠู

Update to v2025.12.5

๐Ÿ”— ุงู„ู…ุตุฏุฑ ุงู„ุฃุตู„ูŠ โ† ๐Ÿ“˜ NVD โ† โšก CISA KEV โ†