SA-CONTRIB-2026-018: SAML SSO Reflected XSS — Script Injection on Your Login Page

SA-CONTRIB-2026-018 is a critical reflected XSS in an identity-adjacent module. Attacker-controlled input reflects back into browser execution paths on SSO endpoints — the exact surfaces users trust during login. 🚨 Danger: Critical — XSS on Authentication Endpoints CVE-2026-3217 allows reflected cross-site scripting on SAML SSO login endpoints. If you run drupal/miniorange_saml below 3.1.3, crafted URLs can execute scripts in users' browsers during the authentication flow. Patch immediately. Severity Snapshot SA ID CVE Severity Affected Versions Patched Version Action SA-CONTRIB-2026-018 CVE-2026-3217 Critical < 3.1.3 3.1.3 Patch immediately What Happened The Drupal Security Team published SA-CONTRIB-2026-018 on February 25, 2026 for the SAML SSO - Service Provider module ( drupal/miniorange_saml ). The advisory is marked critical and classified as reflected cross-site scripting. The root issue: the module does not sufficiently sanitize user input, which allows reflected XSS via crafte

SA-CONTRIB-2026-018: SAML SSO Reflected XSS — Script Injection on Your Login Page

Related Articles

Retrospec Judd Rev 2 Electric Folding Bike Review: Affordable, Simple, Easy to Store

These car gadgets are worth every penny

These Are the 4 Artemis II Astronauts Leading the Historic Return to the Moon

Taylor Lorenz’s Screen Time Is Almost 17 Hours a Day

RSpec Best Practices in 2026: Factory Bot + VCR Cassettes

Related Articles

News
Retrospec Judd Rev 2 Electric Folding Bike Review: Affordable, Simple, Easy to Store
Wired • 5h ago

News
These car gadgets are worth every penny
ZDNet • 5h ago

News
These Are the 4 Artemis II Astronauts Leading the Historic Return to the Moon
Wired • 6h ago

News
Taylor Lorenz’s Screen Time Is Almost 17 Hours a Day
Wired • 6h ago

News
RSpec Best Practices in 2026: Factory Bot + VCR Cassettes
Medium Programming • 6h ago