DRUPAL-CONTRIB-2026-066

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/canvas/DRUPAL-CONTRIB-2026-066.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-066
Aliases
  • CVE-2026-58588
Published
2026-07-01T17:21:09Z
Modified
2026-07-01T19:30:04.636713711Z
Summary
[none]
Details

The Canvas module allow you to upload image files via a custom API.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/canvas

Package

Name
drupal/canvas
Purl
pkg:composer/drupal%2Fcanvas

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.2
Database specific
{
    "constraint": "<1.4.2"
}
Type
ECOSYSTEM
Events
Introduced
1.5.0
Fixed
1.5.2
Database specific
{
    "constraint": ">=1.5.0 <1.5.2"
}
Type
ECOSYSTEM
Events
Introduced
1.6.0
Fixed
1.6.1
Database specific
{
    "constraint": ">=1.6.0 <1.6.1"
}
Type
ECOSYSTEM
Events
Introduced
1.7.0
Fixed
1.7.1
Database specific
{
    "constraint": ">=1.7.0 <1.7.1"
}

Database specific

affected_versions
"<1.4.2 || >=1.5.0 <1.5.2 || >=1.6.0 <1.6.1 || >=1.7.0 <1.7.1"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/canvas/DRUPAL-CONTRIB-2026-066.json"