Skip to main content

Ui Icons CVE-2026-2349

| EUVDEUVD-2026-15453 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 drupal GHSA-7478-wj8x-xfw9
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15453
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:21 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability exists in the Drupal UI Icons module due to improper neutralization of user input during web page generation. This vulnerability affects UI Icons versions 0.0.0 through 1.0.0 and versions 1.1.0 through 1.1.0, allowing attackers to inject malicious scripts that execute in the context of victim browsers. No CVSS score, EPSS data, or confirmed KEV status is currently available; however, the XSS classification and Drupal reporting indicate this requires prompt patching to versions 1.0.1 or 1.1.1.

Technical ContextAI

The Drupal UI Icons module (CPE: cpe:2.3:a:drupal:ui_icons:*:*:*:*:*:*:*:*) is a user interface component library for the Drupal content management system. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which is the canonical XSS weakness category. This indicates that the module fails to sanitize or escape user-supplied input before rendering it in HTML output, allowing attackers to inject executable JavaScript code. The root cause stems from inadequate input validation and output encoding mechanisms within the icon rendering or configuration display logic.

RemediationAI

Immediately upgrade Drupal UI Icons to version 1.0.1 if running the 1.0.x branch, or to version 1.1.1 if running the 1.1.x branch. Download patches from https://www.drupal.org/sa-contrib-2026-010 and apply via Drupal's module update mechanism or manual file replacement. Until patches can be applied, apply input validation and output encoding patches at the application level if source code access is available, or disable the UI Icons module if not actively required. Additionally, implement Content Security Policy (CSP) headers to restrict script execution and monitor access logs for suspicious payloads or unusual icon configuration requests that may indicate exploitation attempts.

Share

CVE-2026-2349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy