Ory Polis DOM-based XSS Vulnerability (CVE-2026-33506)
Ory Polis versions prior to 26.2.0 are vulnerable to DOM-based XSS due to improper handling of the `callbackUrl` parameter, allowing attackers to execute arbitrary JavaScript in a user's browser.
Ory Polis, formerly known as BoxyHQ Jackson, is a service that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect. A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in versions of Ory Polis prior to 26.2.0. This vulnerability arises from the application’s improper trust of the callbackUrl URL parameter within its login functionality. An attacker can exploit this by crafting a malicious link containing JavaScript code within the callbackUrl. When a…
Detection coverage 2
Detect Suspicious CallbackUrl Parameter
highDetects suspicious requests containing potentially malicious JavaScript code in the callbackUrl parameter
Detect Suspicious CallbackUrl with Obfuscated JavaScript
mediumDetects potentially malicious requests with callbackUrl parameter containing obfuscated JavaScript
Detection queries are kept inside the platform. Get full rules →