DRUPAL-CONTRIB-2026-042

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cleantalk/DRUPAL-CONTRIB-2026-042.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-042

Aliases

CVE-2026-10770

Published

2026-06-03T16:14:56Z

Modified

2026-06-03T19:45:06.720618469Z

Summary

[none]

Details

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

This vulnerability is mitigated by the fact that an attacker must be able to influence the CleanTalk cloud API response (e.g., through a man-in-the-middle attack or a compromised API server).

References

https://www.drupal.org/sa-contrib-2026-042

Credits

- Ra Mänd (ram4nd)
- - https://www.drupal.org/u/ram4nd

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cleantalk

Package

Name: drupal/cleantalk
Purl: pkg:composer/drupal%2Fcleantalk

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

9.7.1

Database specific

{
    "constraint": "<9.7.1"
}

Database specific

affected_versions

"<9.7.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cleantalk/DRUPAL-CONTRIB-2026-042.json"