CVE-2026-3217 PUBLISHED

SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018

Assigner: drupal
Reserved: 25.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.

Product Status

Vendor	Drupal
Product	SAML SSO - Service Provider
Versions	Default: unaffected affected from 0.0.0 to 3.1.3 (excl.)

Credits

Drew Webber (mcdruid) finder
Sudhanshu Dhage (sudhanshu0542) remediation developer
Drew Webber (mcdruid) coordinator
Juraj Nemec (poker10) coordinator
Jess (xjm) coordinator

References

https://www.drupal.org/sa-contrib-2026-018

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)