Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-8493

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-19 May, 2026 | 22:29
Updated At-20 May, 2026 | 16:35
Rejected At-
Credits

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:19 May, 2026 | 22:29
Updated At:20 May, 2026 | 16:35
Rejected At:
â–¼CVE Numbering Authority (CNA)
Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Colorbox Inline
Collection URL
https://www.drupal.org/project/colorbox_inline
Repo
https://git.drupalcode.org/project/colorbox_inline
Default Status
unaffected
Versions
Affected
  • From 0.0.0 before 2.1.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-63CAPEC-63 Cross-Site Scripting (XSS)
CAPEC ID: CAPEC-63
Description: CAPEC-63 Cross-Site Scripting (XSS)
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Pierre Rudloff (prudloff)
remediation developer
Michael Harris (miwayha)
coordinator
Bram Driesen (bramdriesen)
coordinator
Juraj Nemec (poker10)
coordinator
Pierre Rudloff (prudloff)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.drupal.org/sa-contrib-2026-036
N/A
Hyperlink: https://www.drupal.org/sa-contrib-2026-036
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:19 May, 2026 | 23:16
Updated At:27 May, 2026 | 15:08

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches

colorbox_inline_project
colorbox_inline_project
>>colorbox_inline>>Versions before 2.1.1(exclusive)
cpe:2.3:a:colorbox_inline_project:colorbox_inline:*:*:*:*:*:drupal:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarymlhess@drupal.org
CWE ID: CWE-79
Type: Secondary
Source: mlhess@drupal.org
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.drupal.org/sa-contrib-2026-036mlhess@drupal.org
Third Party Advisory
Hyperlink: https://www.drupal.org/sa-contrib-2026-036
Source: mlhess@drupal.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

10512Records found

CVE-2024-13289
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 18.74%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:15
Updated-02 Sep, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Cookiebot + GTM allows Cross-Site Scripting (XSS).This issue affects Cookiebot + GTM: from 0.0.0 before 1.0.18.

Action-Not Available
Vendor-usercentricsThe Drupal Association
Product-cookiebot_\+_gtmCookiebot + GTM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13286
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.22%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:13
Updated-02 Sep, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SVG Embed allows Cross-Site Scripting (XSS).This issue affects SVG Embed: from 0.0.0 before 2.1.2.

Action-Not Available
Vendor-svg_embed_projectThe Drupal Association
Product-svg_embedSVG Embed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13287
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.22%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:13
Updated-02 Sep, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Views SVG Animation allows Cross-Site Scripting (XSS).This issue affects Views SVG Animation: from 0.0.0 before 1.0.1.

Action-Not Available
Vendor-views_svg_animation_projectThe Drupal Association
Product-views_svg_animationViews SVG Animation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13245
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.81%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:51
Updated-07 Jul, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor 4 LTS - WYSIWYG HTML editor allows Cross-Site Scripting (XSS).This issue affects CKEditor 4 LTS - WYSIWYG HTML editor: from 1.0.0 before 1.0.1.

Action-Not Available
Vendor-cksourceThe Drupal Association
Product-ckeditor_4CKEditor 4 LTS - WYSIWYG HTML editor
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13237
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 13.47%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:15
Updated-04 Jun, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.

Action-Not Available
Vendor-file_entity_projectThe Drupal Association
Product-file_entityFile Entity (fieldable files)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13294
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.79%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:17
Updated-02 Sep, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal POST File allows Cross-Site Scripting (XSS).This issue affects POST File: from 0.0.0 before 1.0.2.

Action-Not Available
Vendor-post_file_projectThe Drupal Association
Product-post_filePOST File
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13238
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.81%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:33
Updated-04 Jun, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Typogrify allows Cross-Site Scripting (XSS).This issue affects Typogrify: from 0.0.0 before 1.3.0.

Action-Not Available
Vendor-typogrify_projectThe Drupal Association
Product-typogrifyTypogrify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13273
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.22%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 19:26
Updated-28 Aug, 2025 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11.

Action-Not Available
Vendor-getopensocialThe Drupal Association
Product-open_socialOpen Social
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12393
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 24.64%
||
7 Day CHG+0.01%
Published-09 Dec, 2024 | 23:20
Updated-02 Jun, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3215
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 7.33%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:24
Updated-31 Mar, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.

Action-Not Available
Vendor-islandoraThe Drupal Association
Product-islandoraIslandora
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3212
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 3.39%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:22
Updated-27 Mar, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.

Action-Not Available
Vendor-factorialThe Drupal Association
Product-tagifyTagify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14556
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 7.22%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 18:38
Updated-23 Jan, 2026 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Drupal 7 Flag Module

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.

Action-Not Available
Vendor-flag_module_projectThe Drupal Association
Product-flagFlag
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13979
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.42%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:00
Updated-12 Feb, 2026 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.

Action-Not Available
Vendor-salsa.digitalThe Drupal Association
Product-mini_siteMini site
CWE ID-CWE-267
Privilege Defined With Unsafe Actions
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13983
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 3.38%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:02
Updated-29 Jan, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Action-Not Available
Vendor-The Drupal Association
Product-Tagify
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-2348
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 3.38%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:20
Updated-02 Apr, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.

Action-Not Available
Vendor-wim-leersThe Drupal Association
Product-quick_editQuick Edit
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31675
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.46% / 36.45%
||
7 Day CHG+0.03%
Published-31 Mar, 2025 | 21:35
Updated-02 Apr, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.

Action-Not Available
Vendor-The Drupal Association
Product-drupalLinkDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3130
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.07%
||
7 Day CHG+0.01%
Published-02 Apr, 2025 | 21:10
Updated-29 Apr, 2025 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS.This issue affects Obfuscate: from 0.0.0 before 2.0.1.

Action-Not Available
Vendor-The Drupal Association
Product-obfuscateObfuscate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13252
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.81%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:58
Updated-04 Jun, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal TacJS allows Cross-Site Scripting (XSS).This issue affects TacJS: from 0.0.0 before 6.5.0.

Action-Not Available
Vendor-tacjs_projectThe Drupal Association
Product-tacjsTacJS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6367
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 10.13%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:28
Updated-22 Jun, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6365
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 14.79%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:27
Updated-20 May, 2026 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6095
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 9.46%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:26
Updated-21 May, 2026 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16.

Action-Not Available
Vendor-gayaThe Drupal Association
Product-orejimeOrejime
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-48918
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-8.8||HIGH
EPSS-0.22% / 13.13%
||
7 Day CHG~0.00%
Published-13 Jun, 2025 | 15:38
Updated-17 Jul, 2025 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.

Action-Not Available
Vendor-1xinternetThe Drupal Association
Product-simple_klaroSimple Klaro
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-4929
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.1||MEDIUM
EPSS-0.21% / 10.55%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:48
Updated-22 May, 2026 | 12:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

Action-Not Available
Vendor-The Drupal Association
Product-Simple Hierarchical Select (shs)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13262
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.26% / 17.47%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 19:14
Updated-28 Aug, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal View Password allows Cross-Site Scripting (XSS).This issue affects View Password: from 0.0.0 before 6.0.4.

Action-Not Available
Vendor-view_password_projectThe Drupal Association
Product-view_passwordView Password
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13283
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 12.98%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 19:36
Updated-02 Sep, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.9.

Action-Not Available
Vendor-facets_projectThe Drupal Association
Product-facetsFacets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13298
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 13.45%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:21
Updated-02 Sep, 2025 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Tarte au Citron allows Cross-Site Scripting (XSS).This issue affects Tarte au Citron: from 2.0.0 before 2.0.5.

Action-Not Available
Vendor-kleegroupThe Drupal Association
Product-tarte_au_citronTarte au Citron
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13247
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 11.80%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 18:53
Updated-04 Jun, 2025 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Coffee allows Cross-Site Scripting (XSS).This issue affects Coffee: from 0.0.0 before 1.4.0.

Action-Not Available
Vendor-coffee_projectThe Drupal Association
Product-coffeeCoffee
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13292
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 13.45%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:16
Updated-02 Sep, 2025 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Tooltip allows Cross-Site Scripting (XSS).This issue affects Tooltip: from 0.0.0 before 1.1.2.

Action-Not Available
Vendor-tooltip_projectThe Drupal Association
Product-tooltipTooltip
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13308
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-3.8||LOW
EPSS-0.25% / 15.84%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:27
Updated-05 Sep, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Browser Back Button allows Cross-Site Scripting (XSS).This issue affects Browser Back Button: from 1.0.0 before 2.0.2.

Action-Not Available
Vendor-browser_back_button_projectThe Drupal Association
Product-browser_back_buttonBrowser Back Button
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13305
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.23% / 13.45%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 20:25
Updated-28 Aug, 2025 | 11:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Entity Form Steps allows Cross-Site Scripting (XSS).This issue affects Entity Form Steps: from 0.0.0 before 1.1.4.

Action-Not Available
Vendor-imagexmediaThe Drupal Association
Product-entity_form_stepsEntity Form Steps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13688
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.66% / 47.16%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 15:08
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13668
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.68% / 47.95%
||
7 Day CHG+0.01%
Published-11 Feb, 2022 | 15:15
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Access bypass in Drupal Core 8/9

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13672
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.67% / 47.54%
||
7 Day CHG+0.01%
Published-11 Feb, 2022 | 15:30
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13666
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-2.93% / 85.38%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 13:50
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13669
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.64% / 46.38%
||
7 Day CHG+0.01%
Published-11 Feb, 2022 | 15:25
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13673
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.26% / 17.21%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 15:35
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

Action-Not Available
Vendor-The Drupal Association
Product-entity_embedEntity Embed
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-4093
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.1||MEDIUM
EPSS-0.17% / 6.79%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:50
Updated-22 May, 2026 | 13:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

Action-Not Available
Vendor-The Drupal Association
Product-Term Reference Tree
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3529
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 15.38%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 20:03
Updated-31 Mar, 2026 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.

Action-Not Available
Vendor-sujanshresthaThe Drupal Association
Product-google_analytics_ga4Google Analytics GA4
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3528
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 15.38%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 20:03
Updated-01 Apr, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.

Action-Not Available
Vendor-joaopaulocdevThe Drupal Association
Product-calculation_fieldsCalculation Fields
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3217
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 9.17%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:24
Updated-31 Mar, 2026 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.

Action-Not Available
Vendor-miniorangeThe Drupal Association
Product-saml_sso_-_service_providerSAML SSO - Service Provider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-3213
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.7||MEDIUM
EPSS-0.17% / 6.77%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:22
Updated-31 Mar, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.

Action-Not Available
Vendor-cleantalkThe Drupal Association
Product-anti-spamAnti-Spam by CleanTalk
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31682
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 12.24%
||
7 Day CHG+0.01%
Published-31 Mar, 2025 | 21:40
Updated-02 Jun, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS).This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

Action-Not Available
Vendor-google_tag_projectThe Drupal Association
Product-google_tagGoogle Tag
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-6341
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.4||MEDIUM
EPSS-12.41% / 95.72%
||
7 Day CHG~0.00%
Published-26 Mar, 2019 | 18:04
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-Debian GNU/LinuxFedora ProjectThe Drupal Association
Product-debian_linuxfedoradrupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-2349
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 4.46%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:21
Updated-31 Mar, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.

Action-Not Available
Vendor-beyrisThe Drupal Association
Product-ui_iconsUI Icons
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6871
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 9.46%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:28
Updated-21 May, 2026 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2.

Action-Not Available
Vendor-obfuscate_projectThe Drupal Association
Product-obfuscateObfuscate
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-14557
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.8||MEDIUM
EPSS-0.19% / 8.55%
||
7 Day CHG~0.00%
Published-14 Jan, 2026 | 18:40
Updated-23 Jan, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in Drupal 7 Facebook Pixel Module

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.

Action-Not Available
Vendor-facebook_pixel_projectThe Drupal Association
Product-facebook_pixelFacebook Pixel
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13981
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-4.4||MEDIUM
EPSS-0.12% / 1.98%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:01
Updated-19 Feb, 2026 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.

Action-Not Available
Vendor-artificial_intelligence_projectThe Drupal Association
Product-artificial_intelligenceAI (Artificial Intelligence)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12848
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7||HIGH
EPSS-0.30% / 22.15%
||
7 Day CHG~0.00%
Published-26 Nov, 2025 | 01:28
Updated-26 Mar, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability when rendering filename in Webform Multiform

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

Action-Not Available
Vendor-webform_multiple_file_upload_projectThe Drupal Association
Product-webform_multiple_file_uploadDrupal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12761
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-3.5||LOW
EPSS-0.15% / 4.39%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 16:56
Updated-08 Dec, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.

Action-Not Available
Vendor-simple_multi_step_form_projectThe Drupal Association
Product-simple_multi_step_formSimple multi step form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12083
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 8.16%
||
7 Day CHG-0.00%
Published-29 Oct, 2025 | 23:14
Updated-03 Dec, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.

Action-Not Available
Vendor-salsa.digitalThe Drupal Association
Product-civictheme_design_systemCivicTheme Design System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 210
  • 211
  • Next
Details not found