Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.
AnalysisAI
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal UI Icons module due to improper neutralization of user input during web page generation. This vulnerability affects UI Icons versions 0.0.0 through 1.0.0 and versions 1.1.0 through 1.1.0, allowing attackers to inject malicious scripts that execute in the context of victim browsers. No CVSS score, EPSS data, or confirmed KEV status is currently available; however, the XSS classification and Drupal reporting indicate this requires prompt patching to versions 1.0.1 or 1.1.1.
Technical ContextAI
The Drupal UI Icons module (CPE: cpe:2.3:a:drupal:ui_icons:*:*:*:*:*:*:*:*) is a user interface component library for the Drupal content management system. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which is the canonical XSS weakness category. This indicates that the module fails to sanitize or escape user-supplied input before rendering it in HTML output, allowing attackers to inject executable JavaScript code. The root cause stems from inadequate input validation and output encoding mechanisms within the icon rendering or configuration display logic.
RemediationAI
Immediately upgrade Drupal UI Icons to version 1.0.1 if running the 1.0.x branch, or to version 1.1.1 if running the 1.1.x branch. Download patches from https://www.drupal.org/sa-contrib-2026-010 and apply via Drupal's module update mechanism or manual file replacement. Until patches can be applied, apply input validation and output encoding patches at the application level if source code access is available, or disable the UI Icons module if not actively required. Additionally, implement Content Security Policy (CSP) headers to restrict script execution and monitor access logs for suspicious payloads or unusual icon configuration requests that may indicate exploitation attempts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15453
GHSA-7478-wj8x-xfw9