Platform
javascript
Component
ory/polis
Fixed in
26.2.1
CVE-2026-33506 describes a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Ory Polis (formerly BoxyHQ Jackson) versions prior to 26.2.0. The application improperly trusts a URL parameter, allowing attackers to execute arbitrary JavaScript in a user's browser. This could lead to credential theft or other malicious activities. Version 26.2.0 contains a fix for this vulnerability.
CVE-2026-33506 affects Ory Polis (formerly BoxyHQ Jackson) versions prior to 26.2.0. This DOM-based Cross-Site Scripting (XSS) vulnerability resides within the login functionality. The application improperly trusts a URL parameter (callbackUrl) passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user who subsequently logs in), performs a client-side redirect. This could allow malicious JavaScript code to be executed in the user's browser context, potentially compromising sensitive information or performing actions on the user's behalf. The risk is significant, especially in environments where authentication security is critical.
The vulnerability is exploited through manipulation of the callbackUrl parameter in a malicious URL. An attacker could distribute this link via email, social media, or other channels. When a user clicks the link, the malicious JavaScript code executes in their browser. Prior authentication of the user (or their subsequent login) allows the malicious code to execute with the user's privileges, increasing the potential impact of the attack. The client-side redirect allows the attacker to redirect the user to a malicious website, mimicking the appearance of the legitimate application.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The solution to mitigate CVE-2026-33506 is to upgrade Ory Polis to version 26.2.0 or higher. This version includes a fix that validates and sanitizes the callbackUrl parameter, preventing malicious code injection. Additionally, review your application's security configurations, ensuring best practices for input validation and XSS prevention are implemented. Monitoring application logs for suspicious activity can also help detect and respond to potential attacks. Implementing a Content Security Policy (CSP) can provide an additional layer of defense against XSS attacks.
Update Ory Polis to version 26.2.0 or higher. This version contains a fix for the XSS vulnerability. The update will eliminate the possibility of an attacker executing arbitrary JavaScript in the context of a user's browser.
Vulnerability analysis and critical alerts directly to your inbox.
Ory Polis is a tool that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect.
Upgrading to version 26.2.0 or higher fixes the XSS vulnerability and protects against potential attacks.
If you are using a version of Ory Polis prior to 26.2.0, you are likely affected.
XSS (Cross-Site Scripting) is a type of vulnerability that allows attackers to inject malicious code into websites.
It's a parameter in a URL that specifies where the browser should redirect after an action, in this case, login.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.