{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33506/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","ory-polis","cve-2026-33506","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOry Polis, formerly known as BoxyHQ Jackson, is a service that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect. A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in versions of Ory Polis prior to 26.2.0. This vulnerability arises from the application\u0026rsquo;s improper trust of the \u003ccode\u003ecallbackUrl\u003c/code\u003e URL parameter within its login functionality. An attacker can exploit this by crafting a malicious link containing JavaScript code within the \u003ccode\u003ecallbackUrl\u003c/code\u003e. When a…\u003c/p\u003e\n","date_modified":"2026-03-26T19:17:05Z","date_published":"2026-03-26T19:17:05Z","id":"/briefs/2024-01-ory-polis-xss/","summary":"Ory Polis versions prior to 26.2.0 are vulnerable to DOM-based XSS due to improper handling of the `callbackUrl` parameter, allowing attackers to execute arbitrary JavaScript in a user's browser.","title":"Ory Polis DOM-based XSS Vulnerability (CVE-2026-33506)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-polis-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33506","version":"https://jsonfeed.org/version/1.1"}