Product
A critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-44203, in OpenIdentityPlatform OpenAM's `openam-oauth2` component allows an unauthenticated attacker to inject malicious scripts into a victim's browser context by manipulating the `state` parameter in OAuth2/OIDC `form_post` responses, leading to session hijacking or credential theft.