Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered stored XSS with no auth required, scope change to victim browser, limited C/I impact, and no availability effect.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Stored XSS. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.
AnalysisAI
Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Drupal Advanced Content Feedback (admin_feedback) contributed module must be installed and enabled on the target Drupal site, running any release from 0.0.0 up to 2.8.0 - this is a non-default configuration requiring deliberate module installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 Medium score is derived from a network-accessible, low-complexity attack requiring no privileges but mandatory user interaction (UI:R), with a scope change (S:C) that elevates the score despite only partial confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker visits the content feedback submission interface of a Drupal site running a vulnerable version of admin_feedback and submits a feedback entry containing a crafted JavaScript payload such as a cookie-stealing script. The payload is stored in the Drupal database and silently executes the next time an administrator or privileged user loads the affected feedback or content review page, transmitting their session token to an attacker-controlled endpoint and enabling subsequent account takeover. … |
| Remediation | Upgrade the Advanced Content Feedback (admin_feedback) module to version 2.8.0 or later, as indicated by the EUVD affected-version boundary and the Drupal security advisory SA-contrib-2026-051 at https://www.drupal.org/sa-contrib-2026-051. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43055
GHSA-m44m-73vr-r5qh