search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Radware Alteon has a reflected XSS vulnerability that can execute JavaScript in the host browser

Vulnerability Note VU#890999

Original Release Date: 2026-04-21 | Last Revised: 2026-04-21

Overview

Radware Alteon has a reflected Cross-Site Scripting (XSS) vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser.

Description

CVE-2026-5754: Reflected Cross-Site Scripting (XSS) vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.

A reflected Cross-Site Scripting (XSS) vulnerability exists in the ReturnTo parameter of the /protected/login route in Radware Alteon version 34.5.4.0. The vulnerability arises from the lack of user input sanitization, allowing an attacker to inject malicious scripts. Specifically, when a user requests a resource that redirects to a Microsoft SAML login page, the load-balancer redirects the user to the login page with a ReturnTo parameter that fails to sanitize user input. An attacker can exploit this by injecting a malicious payload in the ReturnTo parameter, which will be executed in the victim's browser.

An example attack flow is below:

  1. Attacker creates link with XSS payload in ReturnTo parameter.
  2. Victim clicks malicious link, redirecting to login page.
  3. Load-balancer reflects malicious ReturnTo parameter, executing XSS payload.
  4. Attacker performs JavaScript code execution in the victim's browser.

Impact

The impact of this vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code in a victim’s browser. Doing so enables a range of harmful activities, including the following: stealing session cookies and sensitive data; performing unauthorized actions on behalf of the victim; tricking users into falling for phishing attacks; and damaging a website’s reputation and user trust.

Solution

Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. The vendor, Radware, has acknowledged the vulnerability in their customer portal and plans to patch it in the next version, 34.5.7.0. This version was expected to be released on March 31st, 2026, based upon the release notes, but it is unclear if this release occurred and included a fix. In the meantime, users are advised to take precautions to prevent exploitation, such as validating and encoding user input.

Acknowledgements

Thanks to the reporter, Loinaz Merino Cerrajeria, for bringing this vulnerability to our attention.This document was written by Timur Snoke.

Vendor Information

890999
 
Expand all

Radware Unknown

Notified:  2026-02-09 Updated: 2026-04-21

CVE-2026-5754 Unknown

Vendor Statement

We have not received a statement from the vendor.


References

  • added apostrophe and "user"

Other Information

CVE IDs: CVE-2026-5754
API URL: VINCE JSON | CSAF
Date Public: 2026-04-21
Date First Published: 2026-04-21
Date Last Updated: 2026-04-21 15:16 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis