Platform
java
Component
smart-sso
Fixed in
2.1.1
2.1.2
CVE-2026-2972 describes a cross-site scripting (XSS) vulnerability discovered in Smart-SSO versions 2.1.0 through 2.1.1. This flaw resides within the Role Edit Page's Save function, allowing attackers to inject malicious scripts. Successful exploitation could lead to unauthorized access or modification of user data. The vulnerability is publicly disclosed and may be actively exploited.
An attacker exploiting CVE-2026-2972 can inject arbitrary JavaScript code into the Smart-SSO application. This code could be executed in the context of a user's browser, potentially allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to manage sensitive user data or access critical systems. This XSS vulnerability could be leveraged for phishing attacks or to gain persistent access to the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of a vendor response raises concerns about the timeliness of a patch. While the CVSS score is LOW, the potential for user data compromise and application defacement warrants immediate attention. No known active campaigns have been reported, but the public disclosure makes it a prime target for opportunistic attackers.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2972 is to upgrade Smart-SSO to a version that addresses the vulnerability. As of this writing, no patched version has been released. Until a patch is available, implement strict input validation and output encoding on the Role Edit Page to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update security policies and procedures.
Update Smart-SSO to a version later than 2.1.1. If no updates are available, review and sanitize user inputs in the Save function of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2972 is a cross-site scripting (XSS) vulnerability affecting Smart-SSO versions 2.1.0 through 2.1.1. It allows attackers to inject malicious scripts via the Role Edit Page.
If you are using Smart-SSO versions 2.1.0 or 2.1.1, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
Upgrade to a patched version of Smart-SSO. Until a patch is released, implement input validation and output encoding, and consider using a WAF.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed and may be exploited by opportunistic attackers.
Due to the lack of vendor response, an official advisory may not be available. Monitor security news sources and the Smart-SSO community for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.