DRUPAL-CONTRIB-2026-051

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/admin_feedback/DRUPAL-CONTRIB-2026-051.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-051

Aliases

CVE-2026-13231

Published

2026-06-24T18:32:15Z

Modified

2026-06-24T19:15:04.309172444Z

Summary

[none]

Details

This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses.

The module doesn't sufficiently sanitize several administrator-configured response messages (the "Yes response", "No response", and the custom text shown on a "No" answer) under the scenario where those settings contain HTML or script markup, which is then emitted as raw HTML in the feedback response shown to visitors.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer admin feedback".

References

https://www.drupal.org/sa-contrib-2026-051

Credits

- Bill Seremetis (bserem)
- - https://www.drupal.org/u/bserem

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/admin_feedback

Package

Name: drupal/admin_feedback
Purl: pkg:composer/drupal%2Fadmin_feedback

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.8.0

Database specific

{
    "constraint": "<2.8.0"
}

Database specific

affected_versions

"<2.8.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/admin_feedback/DRUPAL-CONTRIB-2026-051.json"