Skip to main content

Drupal AI CVE-2026-13234

| EUVDEUVD-2026-43058 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-q48q-x876-9gr8
6.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-accessible with no auth required; victim interaction mandatory; scope changes to browser; confidentiality and integrity limited to session/page context, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:38 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
6.1 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3.

AnalysisAI

Cross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking and malicious content injection when users interact with unsanitized AI-generated or AI-related output rendered in the browser. The module fails to properly neutralize user-controlled or AI-sourced input before including it in generated web pages, allowing an unauthenticated remote attacker to craft a payload that executes in a victim's browser upon interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site with AI module
Delivery
Craft XSS payload in injectable parameter
Exploit
Deliver malicious URL to target user
Execution
Victim loads page triggering unsanitized render
Persist
Injected script executes in victim browser
Impact
Exfiltrate session token or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Drupal site has the AI (Artificial Intelligence) contributed module installed and enabled in an affected version (0.0.0-pre-1.2.17, 1.3.0-pre-1.3.8, or 1.4.0-pre-1.4.3). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite a medium CVSS of 6.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL or submits input to a Drupal page that triggers the AI module to reflect unsanitized content back into the HTML response. When a logged-in Drupal user (such as a site administrator or editor) is socially engineered into visiting the crafted URL, the injected JavaScript executes in their browser, potentially stealing their session cookie or performing privileged actions on their behalf within the Drupal site. …
Remediation Upgrade the Drupal AI module to a patched release per the active branch in use: 1.2.17 or later for the 1.2.x branch, 1.3.8 or later for the 1.3.x branch, or 1.4.3 or later for the 1.4.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy