Platform
java
Component
smart-sso
Fixed in
2.1.1
2.1.2
CVE-2026-2971 describes a cross-site scripting (XSS) vulnerability discovered in Smart-SSO versions 2.1.0 through 2.1.1. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking and data theft. The vulnerability resides within the login.html template, specifically in the handling of the redirectUri parameter. A public exploit is available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-2971 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, and defacing the application's interface. The attacker could potentially gain access to sensitive user data, such as credentials and personal information. Given the public availability of an exploit, this vulnerability presents a significant and immediate threat to organizations using affected versions of Smart-SSO.
CVE-2026-2971 has been publicly disclosed and a proof-of-concept exploit is available. This significantly increases the likelihood of exploitation. The vulnerability was reported on 2026-02-23. The vendor was contacted but did not respond. The EPSS score is likely medium to high due to the public exploit and lack of vendor response.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2971 is to upgrade Smart-SSO to a version that addresses the vulnerability. Unfortunately, a fixed version is not explicitly mentioned in the provided data. As an immediate workaround, implement strict input validation and sanitization on the redirectUri parameter within the login.html template. This should include whitelisting allowed redirect URLs and escaping any user-supplied input. Consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious redirectUri values. Monitor application logs for any unusual activity related to the login page.
Update Smart-SSO to a version later than 2.1.1 that fixes the XSS vulnerability. If no version is available, review and filter the inputs of the redirectUri parameter to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2971 is a cross-site scripting (XSS) vulnerability affecting Smart-SSO versions 2.1.0-2.1.1, allowing attackers to inject malicious scripts.
You are affected if you are using Smart-SSO versions 2.1.0 or 2.1.1 and have not upgraded to a patched version.
Upgrade to a patched version of Smart-SSO. Until a patch is available, implement strict input validation on the redirectUri parameter and consider a WAF.
Yes, a public exploit exists, indicating a high likelihood of active exploitation.
The vendor did not respond to early disclosure attempts. Check the Smart-SSO website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.