Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.
AnalysisAI
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal Anti-Spam by CleanTalk module due to improper neutralization of user input during web page generation. All versions from 0.0.0 through 9.6.x are affected, with a patch available in version 9.7.0 or later. Attackers can inject malicious scripts that execute in the context of authenticated users' browsers, potentially leading to session hijacking, credential theft, or defacement of Drupal sites.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), indicating that the Anti-Spam by CleanTalk module fails to properly sanitize or escape user-controllable input before rendering it in HTML responses. The module, identified via CPE cpe:2.3:a:drupal:anti-spam_by_cleantalk:*:*:*:*:*:*:*:*, is a Drupal contributed module that provides spam protection. The root cause involves inadequate input validation and output encoding mechanisms within the module's request handling or display logic, allowing attackers to inject arbitrary JavaScript code that executes with the privileges of the affected user.
RemediationAI
Immediately upgrade Anti-Spam by CleanTalk to version 9.7.0 or later via the Drupal module update interface or by downloading the patched version from https://www.drupal.org/project/cleantalk. Site administrators should verify the upgrade by checking the module version in Drupal's module administration interface. Until patching is feasible, implement input validation and output encoding at the application layer, consider disabling the module temporarily if it is not critical to operations, and ensure that Drupal's core security settings (such as Content Security Policy headers) are properly configured to mitigate inline script execution.
More in Anti Spam By Cleantalk
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15471
GHSA-65g6-ww7v-9mhx