CISA issues update on Radware Alteon reflected XSS vulnerability

Radware Alteon vADC load-balancers are affected by a reflected cross-site scripting (XSS) issue in the ReturnTo parameter of the /protected/login route. The vulnerability can allow an attacker to execute JavaScript in the host browser.

CVE-2026-5754 covers a reflected XSS vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer. The advisory states that a reflected XSS vulnerability exists in the ReturnTo parameter of the /protected/login route in Radware Alteon version 34.5.4.0, caused by a lack of user input sanitization. It describes a scenario where a user requests a resource that redirects to a Microsoft SAML login page, and the load-balancer redirects the user to the login page with a ReturnTo parameter that fails to sanitize user input. An attacker can inject a malicious payload in the ReturnTo parameter, which will be executed in the victim’s browser.

The impact described is that the vulnerability allows an attacker to execute arbitrary JavaScript code in a victim’s browser. The advisory lists harmful activities enabled by that capability as stealing session cookies and sensitive data, performing unauthorized actions on behalf of the victim, tricking users into falling for phishing attacks, and damaging a website’s reputation and user trust.

The advisory reports that a response team was unable to reach the vendor to coordinate the vulnerability. It states that Radware acknowledged the vulnerability in its customer portal and plans to patch it in the next version, 34.5.7.0. The advisory adds that the 34.5.7.0 release was expected to be released on March 31st, 2026, based upon release notes, but it is unclear if the release occurred and included a fix.

For interim status, the advisory says users are advised to take precautions to prevent exploitation, such as validating and encoding user input.