Skip to main content

Islandora CVE-2026-3215

| EUVDEUVD-2026-15474 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 drupal GHSA-jgfr-pvv6-mq43
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15474
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:24 nvd
MEDIUM 5.4

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability exists in Drupal Islandora due to improper neutralization of user input during web page generation. All versions of Islandora from 0.0.0 through 2.17.4 are affected, allowing attackers to inject and execute malicious JavaScript in the context of affected users' browsers. Exploitation enables session hijacking, credential theft, malware distribution, and defacement of the repository interface.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of weakness where user-controlled input is not properly sanitized or encoded before being rendered in HTML output. Drupal Islandora is a digital repository system built on the Drupal framework (CPE: cpe:2.3:a:drupal:islandora:*:*:*:*:*:*:*:*) that manages and displays digital objects and metadata. The flaw likely occurs in template rendering, form handling, or display of user-supplied or external data without adequate output encoding. Attackers can inject HTML/JavaScript through various input vectors—such as object metadata fields, search parameters, or user-generated content—which are then reflected or stored and served to other users without proper escaping or Content Security Policy (CSP) protections.

RemediationAI

Upgrade Drupal Islandora to version 2.17.5 or later immediately using the patch provided in the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-016. Verify the upgrade by checking the installed version through Drupal's module administration interface. As an interim measure prior to patching, implement a Web Application Firewall (WAF) or reverse proxy with rules to block common XSS payloads, enforce strict Content Security Policy (CSP) headers to restrict script execution, and audit Islandora configuration to disable unnecessary user input fields or submission methods. Additionally, review access logs for suspicious input patterns and consider restricting Islandora access to authenticated users and trusted IP ranges until patching is complete.

Share

CVE-2026-3215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy