DRUPAL-CONTRIB-2026-032

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/orejime/DRUPAL-CONTRIB-2026-032.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-032

Aliases

CVE-2026-6095

Published

2026-04-08T16:09:54Z

Modified

2026-04-10T16:51:06Z

Summary

[none]

Details

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.

This vulnerability is mitigated by the fact that a text format that allows iframe-consent HTML tags with alt attributes in the necessary option (Enable JS Iframe consent) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.

References

https://www.drupal.org/sa-contrib-2026-032

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/orejime

Package

Name: drupal/orejime
Purl: pkg:composer/drupal/orejime

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.16

Database specific

{
    "constraint": "<2.0.16"
}

Database specific

affected_versions

"<2.0.16"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/orejime/DRUPAL-CONTRIB-2026-032.json"