DRUPAL-CONTRIB-2026-009

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/quickedit/DRUPAL-CONTRIB-2026-009.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-009

Aliases

CVE-2026-2348

Published

2026-02-11T16:53:32Z

Modified

2026-02-11T19:16:19.554689Z

Summary

[none]

Details

This module allows content to be edited in-place.

The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create or edit an affected field.

References

https://www.drupal.org/sa-contrib-2026-009

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/quickedit

Package

Name: drupal/quickedit
Purl: pkg:composer/drupal/quickedit

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.5

Database specific

{
    "constraint": "<1.0.5"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.1

Database specific

{
    "constraint": ">=2.0.0 <2.0.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/quickedit/DRUPAL-CONTRIB-2026-009.json"

affected_versions

"<1.0.5 || >=2.0.0 <2.0.1"