| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2025-14777 | Keycloak: keycloak idor in realm client creating/deleting | Red Hat | Red Hat build of Keycloak 26.4 | Medium | 6.0 | 2025-12-16 05:02:42 | Deep Dive |
| CVE-2025-14082 | Keycloak-services: keycloak admin rest api: improper access control leads to sensitive role metadata information disclosure | Red Hat | Red Hat build of Keycloak 26.4 | Low | 2.7 | 2025-12-10 09:04:51 | Deep Dive |
| CVE-2024-3884 | Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded | Red Hat | Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | High | 7.5 | 2025-12-03 18:40:26 | Deep Dive |
| CVE-2025-13467 | Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation | Keycloak | Keycloak | Medium | 5.5 | 2025-11-25 16:02:21 | Deep Dive |
| CVE-2025-11538 | Keycloak-server: debug default bind address | Keycloak | keycloak | Medium | 6.8 | 2025-11-13 16:47:54 | Deep Dive |
| CVE-2025-12390 | Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id | Keycloak | keycloak | Medium | 6.0 | 2025-10-28 13:23:35 | Deep Dive |
| CVE-2025-10939 | Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console | Keycloak | keycloak | Low | 3.7 | 2025-10-28 03:08:30 | Deep Dive |
| CVE-2025-12110 | Keycloak: org.keycloak:keycloak-services: user can refresh offline session even after client's offline_access scope was removed | Keycloak | keycloak | Medium | 5.4 | 2025-10-23 14:19:25 | Deep Dive |
| CVE-2025-11429 | Keycloak-server: too long and not settings compliant session | Keycloak | keycloak | Medium | 5.4 | 2025-10-23 14:09:32 | Deep Dive |
| CVE-2025-10044 | Keycloak: keycloak error_description injection on error pages | Keycloak | keycloak | Medium | 4.3 | 2025-09-05 19:59:04 | Deep Dive |
| CVE-2025-9162 | Org.keycloak/keycloak-model-storage-service: variable injection into environment variables | Keycloak | keycloak | Medium | 4.9 | 2025-08-21 15:40:25 | Deep Dive |
| CVE-2025-8419 | Org.keycloak/keycloak-services: keycloak smtp inject vulnerability | Keycloak | keycloak | Medium | 5.3 | 2025-08-06 17:10:03 | Deep Dive |
| CVE-2025-7784 | Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled) | - | - | Medium | 6.5 | 2025-07-18 13:48:46 | Deep Dive |
| CVE-2025-7365 | Keycloak: phishing attack via email verification step in first login flow | - | - | High | 7.1 | 2025-07-10 14:20:46 | Deep Dive |
| CVE-2025-5416 | Keycloak-core: keycloak environment information | Red Hat | Red Hat Build of Keycloak | Low | 2.7 | 2025-06-20 16:04:06 | Deep Dive |
| CVE-2025-3910 | Org.keycloak.authentication: two factor authentication bypass | - | - | Medium | 5.4 | 2025-04-29 20:46:40 | Deep Dive |
| CVE-2025-3501 | Org.keycloak.protocol.services: keycloak hostname verification | - | - | High | 8.2 | 2025-04-29 20:45:30 | Deep Dive |
| CVE-2025-2559 | Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak | - | - | Medium | 4.9 | 2025-03-25 08:20:58 | Deep Dive |
| CVE-2025-23368 | Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli | - | - | High | 8.1 | 2025-03-04 15:14:48 | Deep Dive |
| CVE-2024-4028 | Keycloak-core: stored xss in keycloak when creating a items in admin console | - | - | Low | 3.8 | 2025-02-18 17:54:09 | Deep Dive |