CVE-2026-42782Apache · Syncope
Vulnerability data via NVD (ingested)
Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-42782product:"Apache Syncope"http.html:"Syncope"More intel sources (5)
vuln:CVE-2026-42782vulnerabilities.cve_id: CVE-2026-42782CVE-2026-42782CVE-2026-42782"CVE-2026-42782" exploit -site:nvd.nist.gov