Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS is network-delivered without privileges (AV:N/PR:N), requires victim to load crafted URL (UI:R), and executes in the browser security context crossing scope boundary (S:C) with bounded C/I impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Reflected XSS. This issue affects Anti-Spam by CleanTalk versions: from 0.0.0 to 9.7.1.
AnalysisAI
Reflected XSS in the Anti-Spam by CleanTalk Drupal contributed module (versions 0.0.0 through 9.7.1) allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by tricking them into visiting a crafted URL. The CVSS Changed scope (S:C) confirms the payload executes in the browser's security context, enabling session theft, credential harvesting, or UI redirection against authenticated Drupal users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Drupal site to have the Anti-Spam by CleanTalk contributed module installed, enabled, and running a version from 0.0.0 up to 9.7.1. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 Medium score is well-calibrated for this class of vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates a Drupal site running a vulnerable version of Anti-Spam by CleanTalk, then crafts a URL containing a reflected XSS payload embedded in a vulnerable query parameter handled by the module. The attacker delivers this link to a targeted Drupal administrator or editor via a phishing email or compromised third-party site. … |
| Remediation | The primary remediation is to upgrade the Anti-Spam by CleanTalk Drupal module to version 9.7.1 or later, which contains the vendor-released fix per Drupal Security Advisory sa-contrib-2026-042 (https://www.drupal.org/sa-contrib-2026-042). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Anti Spam By Cleantalk
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43048
GHSA-fhcj-f666-rhjr