CVE-2026-58587

Source
https://cve.org/CVERecord?id=CVE-2026-58587
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58587.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58587
Aliases
Published
2026-07-10T21:46:15.116Z
Modified
2026-07-14T04:02:26.436837374Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
Details

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.

Database specific
{
    "cna_assigner": "drupal",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58587.json"
}
References

Affected packages

Git / git.drupalcode.org/project/canvas

Affected ranges

Type
GIT
Repo
https://git.drupalcode.org/project/canvas
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d9eb0eb1b79f7e10d26cdadb9c4fbbd28241ba85
Introduced
60307ab456d3bac9ddc191dba74172b25f032c10
Fixed
4955f9fedfca2b2be22f2b5e4899029dcfaf90df
Introduced
c342497c26e6e68d5d5643af536bf7948ce7d176
Fixed
8312884e2aedf1f0339b64ac02081aad4b3f9238
Introduced
47da2b211e2078afdb511071b57358cccad2e2b1
Fixed
ed49528fd8a7b7babfc91bd3a7097c0c7ec4d2aa
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.0.0"
        },
        {
            "fixed": "1.4.2"
        },
        {
            "introduced": "1.5.0"
        },
        {
            "fixed": "1.5.2"
        },
        {
            "introduced": "1.6.0"
        },
        {
            "fixed": "1.6.1"
        },
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.1"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-alpha1
1.0.0-beta1
1.0.0-beta2
1.0.0-rc1
1.0.0-rc2
1.0.0-rc3
1.0.0-rc4
1.0.0-rc5
1.0.1
1.0.2
1.0.3
1.1.0
v1.*
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.6.0
v1.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58587.json"