Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

In Keycloak version 26.2.4, the group creation form in the admin console allows users to enter script tags in the group name field. This input is rendered without sanitization and appears as-is in the "Groups available" list, creating a potential cross-site scripting (XSS) vulnerability.

Version

26.2.4

Regression

• The issue is a regression

Expected behavior

Group names should be validated and sanitized. HTML/script tags must be escaped or rejected to prevent XSS.

Actual behavior

The input is accepted and rendered, which could allow execution of injected JavaScript.

How to Reproduce?

Go to Groups in the Keycloak admin console.

Click on Create group.

Enter <script>alert("XSS")</script> as the group name.

Click Save.

Observe that the group is created and the script appears in the list, potentially executing code if rendered in an unsafe context.

Anything else?

This issue allows an attacker to inject JavaScript that may execute in the browser of any user viewing the group list. It is a critical XSS vulnerability if exploited.