Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-qj5r-2r5p-phc7

GitHub Security Advisory

Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability

✓ GitHub Reviewed MODERATE Withdrawn
View on GitHub

Advisory Details

### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.

### Original Description
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

Affected Packages

Maven org.keycloak:keycloak-services
Affected versions: 0 (last affected: 26.3.2)

Key Information

GHSA ID
GHSA-qj5r-2r5p-phc7
Published
August 6, 2025 6:31 PM
Last Modified
September 17, 2025 8:23 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.keycloak:keycloak-services
GitHub Reviewed
✓ Yes
Withdrawn
September 17, 2025 8:23 PM

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.