CVE-2026-2972 in Smart-SSO
Summary
by MITRE • 02/23/2026
A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability identified as CVE-2026-2972 represents a critical cross site scripting flaw within the a466350665 Smart-SSO authentication system version 2.1.1 and earlier. This security weakness resides in the Role Edit Page functionality of the smart-sso-server component, specifically within the UserController.java file where the Save function processes user input without adequate sanitization measures. The flaw allows attackers to inject malicious scripts into the application's response, which can then be executed by other users who access the affected page.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the user management interface. When administrators or users interact with the Role Edit Page and submit data through the Save function, the application fails to properly sanitize or escape user-provided content before rendering it back to the browser. This creates an environment where malicious actors can embed javascript code or other malicious payloads that will execute in the context of other users' browsers. The vulnerability is particularly dangerous because it operates through the administrative interface, potentially allowing attackers to escalate privileges or gain unauthorized access to sensitive user data.
The operational impact of this cross site scripting vulnerability extends beyond simple data theft or defacement. Attackers can leverage this flaw to hijack user sessions, redirect victims to malicious websites, or execute arbitrary code within the victim's browser context. Given that this affects the Role Edit Page functionality, successful exploitation could enable attackers to modify user permissions, create new administrative accounts, or manipulate access controls within the single sign-on environment. The remote exploitation capability means that attackers do not require physical access to the system or network, making this vulnerability particularly concerning for organizations relying on this authentication solution.
Security practitioners should immediately implement mitigations including input validation and output encoding controls to prevent malicious script injection. The recommended approach involves sanitizing all user inputs through proper encoding mechanisms such as HTML entity encoding before rendering content in web responses. Organizations should also consider implementing content security policies to limit the execution of unauthorized scripts and deploy web application firewalls to detect and block malicious payloads. According to CWE guidelines, this vulnerability aligns with CWE-79 which specifically addresses cross site scripting flaws, while ATT&CK framework references this as a technique for initial access and privilege escalation through web application exploitation. The lack of vendor response despite early disclosure further compounds the risk, indicating that organizations must implement defensive measures independently rather than waiting for official patches or updates.