SimpleSAMLphp is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to unvalidated metadata endpoints, allowing malicious parties to substitute URLs with JavaScript code, leading to execution of the code in the userβs browser if strict Content Security Policies are not enforced.