Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-accessible stored XSS requiring low-privileged submission and victim interaction; scope changed to browser, with limited confidentiality and integrity impact only.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17.
AnalysisAI
Stored XSS in the Drupal UI Patterns (SDC in Drupal UI) contributed module allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages, which execute in the browsers of other users - including administrators - who view the affected content. Versions 2.0.0 through 2.0.17 of the module are affected, with a patch available from the Drupal security team. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, low-privileged Drupal account with permission to create or edit content that is processed by the UI Patterns (SDC in Drupal UI) module - specifically the component or field rendering path affected by insufficient output encoding. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 (Medium) accurately reflects the attack constraints: PR:L requires the attacker to hold at least a low-privileged account on the Drupal site, and UI:R means exploitation depends on a victim (potentially an administrator) navigating to a page rendering the malicious content. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Drupal site member with content creation privileges submits a UI Patterns component configuration or field value containing a crafted JavaScript payload. The malicious input is stored in the database. … |
| Remediation | Upgrade the Drupal UI Patterns (SDC in Drupal UI) module to version 2.0.17 or later, per the vendor advisory at https://www.drupal.org/sa-contrib-2026-075. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43079
GHSA-rx7v-qfjw-hc2q