Skip to main content

Anti Spam By Cleantalk CVE-2026-3213

| EUVDEUVD-2026-15471 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 drupal GHSA-65g6-ww7v-9mhx
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15471
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:22 nvd
MEDIUM 4.7

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability exists in the Drupal Anti-Spam by CleanTalk module due to improper neutralization of user input during web page generation. All versions from 0.0.0 through 9.6.x are affected, with a patch available in version 9.7.0 or later. Attackers can inject malicious scripts that execute in the context of authenticated users' browsers, potentially leading to session hijacking, credential theft, or defacement of Drupal sites.

Technical ContextAI

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), indicating that the Anti-Spam by CleanTalk module fails to properly sanitize or escape user-controllable input before rendering it in HTML responses. The module, identified via CPE cpe:2.3:a:drupal:anti-spam_by_cleantalk:*:*:*:*:*:*:*:*, is a Drupal contributed module that provides spam protection. The root cause involves inadequate input validation and output encoding mechanisms within the module's request handling or display logic, allowing attackers to inject arbitrary JavaScript code that executes with the privileges of the affected user.

RemediationAI

Immediately upgrade Anti-Spam by CleanTalk to version 9.7.0 or later via the Drupal module update interface or by downloading the patched version from https://www.drupal.org/project/cleantalk. Site administrators should verify the upgrade by checking the module version in Drupal's module administration interface. Until patching is feasible, implement input validation and output encoding at the application layer, consider disabling the module temporarily if it is not critical to operations, and ensure that Drupal's core security settings (such as Content Security Policy headers) are properly configured to mitigate inline script execution.

Share

CVE-2026-3213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy