"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018

Wed, 2026-02-25 10:51 — Anonymous (not verified)

Project: SAML SSO - Service Provider Date: 2026-February-25Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: <3.1.3CVE IDs: CVE-2026-3217Description: This module enables you to perform SAML protocol-based single sign-on (SSO) on a Drupal site.
The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting (XSS) vulnerability.Solution: Install the latest version:

If you are using the "SAML SSO- Service Provider" module for Drupal, upgrade to SAML SSO- Service Provider 3.1.3.

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Sudhanshu Dhage (sudhanshu0542)

Coordinated By:

Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-018

Search form

SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018