DRUPAL-CONTRIB-2026-016

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/islandora/DRUPAL-CONTRIB-2026-016.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-016

Aliases

CVE-2026-3215

Published

2026-02-25T18:49:59Z

Modified

2026-02-25T19:56:23.967861Z

Summary

[none]

Details

This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.

The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create media" and the ability to edit the node the media is being attached to.

References

https://www.drupal.org/sa-contrib-2026-016

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/islandora

Package

Name: drupal/islandora
Purl: pkg:composer/drupal/islandora

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.17.5

Database specific

{
    "constraint": "<2.17.5"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/islandora/DRUPAL-CONTRIB-2026-016.json"

affected_versions

"<2.17.5"