OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
Critical severity
GitHub Reviewed
Published
Jun 21, 2026
in
OpenIdentityPlatform/OpenAM
•
Updated Jun 22, 2026
Package
Affected versions
>= 13.0.0, < 16.1.1
Patched versions
16.1.1
Description
Published to the GitHub Advisory Database
Jun 22, 2026
Reviewed
Jun 22, 2026
Last updated
Jun 22, 2026
Summary
The OAuth 2.0 / OpenID Connect authorization endpoint does not sufficiently sanitize certain user-supplied parameters before incorporating them into the HTML response generated for the
form_postresponse mode. This may allow an attacker to inject content into the rendered page in the context of the OpenAM origin.References