DRUPAL-CONTRIB-2026-036

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/colorbox_inline/DRUPAL-CONTRIB-2026-036.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-036

Aliases

CVE-2026-8493

Published

2026-05-13T17:18:29Z

Modified

2026-05-13T19:00:12.340848Z

Summary

[none]

Details

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

References

https://www.drupal.org/sa-contrib-2026-036

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/colorbox_inline

Package

Name: drupal/colorbox_inline
Purl: pkg:composer/drupal/colorbox_inline

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.1.1

Database specific

{
    "constraint": "<2.1.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/colorbox_inline/DRUPAL-CONTRIB-2026-036.json"

affected_versions

"<2.1.1"