internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-main (#22303)

* Automated internal backport of patch CVE-2026-42849.sec.patch to authentik-main

* spellcheck

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

locale/en/dictionaries/people.txt

@@ -11,3 +11,4 @@ Naur
 Wärting
 Aadit
 Kilby
+Kahmen

website/docs/security/cves/CVE-2026-42849.md

@@ -0,0 +1,27 @@
+# CVE-2026-42849
+
+_Reported by Jan Kahmen, [turingpoint GmbH](https://turingpoint.de/en/)_
+
+## Reflected XSS in SFE
+
+### Summary
+
+Due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage.
+
+### Patches
+
+authentik 2025.12.5 and 2026.2.3 fix this issue.
+
+### Impact
+
+The SFE (Simple Flow Executor) was susceptible to an XSS exploit. This could allow an attacker to redirect web requests containing tokens, hijack the session or take other malicious actions.
+
+This is possible when an OAuth2 provider is configured, either through the redirect_uri when a very broad regex is used, or through the state value.
+
+The SFE previously used jQuery without explicit sanitization, which, compared to the rest of our interfaces, did not sufficiently protect from malicious input values.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+- Email us at [security@goauthentik.io](mailto:security@goauthentik.io).