CVE-2026-33506

CVE-2026-33506 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Ory Polis, formerly known as BoxyHQ Jackson, a tool that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 improperly trust a URL parameter called `callbackUrl`, which is passed directly to `router.push` in the login functionality. This flaw, linked to CWE-87 (Improper Neutralization of Alternate XSS Syntax) and CWE-601 (URL Redirection to Untrusted Site), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and scope change with high confidentiality impact.

An attacker can exploit this vulnerability by crafting a malicious link containing a tainted `callbackUrl`. When an authenticated user—or an unauthenticated user who later logs in—opens the link in their browser, it triggers a client-side redirect and executes arbitrary JavaScript in the victim's browser context. Potential outcomes include theft of user credentials, pivoting to internal networks, and performing unauthorized actions on the victim's behalf, such as session hijacking or data exfiltration.

The Ory Polis GitHub security advisory (GHSA-3wjr-6gw8-9j22) and release notes for version 26.2.0 detail the patch, which addresses the improper handling of the `callbackUrl` parameter to prevent XSS execution. Security practitioners should upgrade to version 26.2.0 or later and review deployments for exposure of login endpoints.