Ory Polis DOM-based XSS Vulnerability (CVE-2026-33506)

hello@craftedsignal.io — Thu, 26 Mar 2026 19:17:05 +0000

Ory Polis, formerly known as BoxyHQ Jackson, is a service that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect. A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in versions of Ory Polis prior to 26.2.0. This vulnerability arises from the application’s improper trust of the callbackUrl URL parameter within its login functionality. An attacker can exploit this by crafting a malicious link containing JavaScript code within the callbackUrl. When a…

Ory-Polis — CraftedSignal Threat Feed

Ory Polis DOM-based XSS Vulnerability (CVE-2026-33506)