Skip to main content

Advanced Content Feedback CVE-2026-13231

| EUVDEUVD-2026-43055 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-m44m-73vr-r5qh
6.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered stored XSS with no auth required, scope change to victim browser, limited C/I impact, and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 21:16 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
6.1 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Stored XSS. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.

AnalysisAI

Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access public feedback submission form
Delivery
Inject stored XSS payload into feedback field
Exploit
Payload persisted in Drupal database
Execution
Admin user loads feedback review page
Persist
Malicious script executes in admin browser
Impact
Session cookie or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation The Drupal Advanced Content Feedback (admin_feedback) contributed module must be installed and enabled on the target Drupal site, running any release from 0.0.0 up to 2.8.0 - this is a non-default configuration requiring deliberate module installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 Medium score is derived from a network-accessible, low-complexity attack requiring no privileges but mandatory user interaction (UI:R), with a scope change (S:C) that elevates the score despite only partial confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker visits the content feedback submission interface of a Drupal site running a vulnerable version of admin_feedback and submits a feedback entry containing a crafted JavaScript payload such as a cookie-stealing script. The payload is stored in the Drupal database and silently executes the next time an administrator or privileged user loads the affected feedback or content review page, transmitting their session token to an attacker-controlled endpoint and enabling subsequent account takeover. …
Remediation Upgrade the Advanced Content Feedback (admin_feedback) module to version 2.8.0 or later, as indicated by the EUVD affected-version boundary and the Drupal security advisory SA-contrib-2026-051 at https://www.drupal.org/sa-contrib-2026-051. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy