Skip to main content

Anti-Spam by CleanTalk CVE-2026-10770

| EUVDEUVD-2026-43048 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-fhcj-f666-rhjr
6.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Reflected XSS is network-delivered without privileges (AV:N/PR:N), requires victim to load crafted URL (UI:R), and executes in the browser security context crossing scope boundary (S:C) with bounded C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 14, 2026 - 15:23 vuln.today
CVSS changed
Jul 14, 2026 - 15:22 NVD
6.1 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:42 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Reflected XSS. This issue affects Anti-Spam by CleanTalk versions: from 0.0.0 to 9.7.1.

AnalysisAI

Reflected XSS in the Anti-Spam by CleanTalk Drupal contributed module (versions 0.0.0 through 9.7.1) allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by tricking them into visiting a crafted URL. The CVSS Changed scope (S:C) confirms the payload executes in the browser's security context, enabling session theft, credential harvesting, or UI redirection against authenticated Drupal users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site with vulnerable module
Delivery
Craft URL embedding XSS payload in vulnerable parameter
Exploit
Deliver crafted URL to victim via phishing
Execution
Victim loads URL while authenticated to Drupal
Persist
Reflected payload executes in victim's browser
Impact
Exfiltrate session token to attacker-controlled server

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Drupal site to have the Anti-Spam by CleanTalk contributed module installed, enabled, and running a version from 0.0.0 up to 9.7.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 Medium score is well-calibrated for this class of vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates a Drupal site running a vulnerable version of Anti-Spam by CleanTalk, then crafts a URL containing a reflected XSS payload embedded in a vulnerable query parameter handled by the module. The attacker delivers this link to a targeted Drupal administrator or editor via a phishing email or compromised third-party site. …
Remediation The primary remediation is to upgrade the Anti-Spam by CleanTalk Drupal module to version 9.7.1 or later, which contains the vendor-released fix per Drupal Security Advisory sa-contrib-2026-042 (https://www.drupal.org/sa-contrib-2026-042). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy