Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.
AnalysisAI
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Islandora due to improper neutralization of user input during web page generation. All versions of Islandora from 0.0.0 through 2.17.4 are affected, allowing attackers to inject and execute malicious JavaScript in the context of affected users' browsers. Exploitation enables session hijacking, credential theft, malware distribution, and defacement of the repository interface.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of weakness where user-controlled input is not properly sanitized or encoded before being rendered in HTML output. Drupal Islandora is a digital repository system built on the Drupal framework (CPE: cpe:2.3:a:drupal:islandora:*:*:*:*:*:*:*:*) that manages and displays digital objects and metadata. The flaw likely occurs in template rendering, form handling, or display of user-supplied or external data without adequate output encoding. Attackers can inject HTML/JavaScript through various input vectors—such as object metadata fields, search parameters, or user-generated content—which are then reflected or stored and served to other users without proper escaping or Content Security Policy (CSP) protections.
RemediationAI
Upgrade Drupal Islandora to version 2.17.5 or later immediately using the patch provided in the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-016. Verify the upgrade by checking the installed version through Drupal's module administration interface. As an interim measure prior to patching, implement a Web Application Firewall (WAF) or reverse proxy with rules to block common XSS payloads, enforce strict Content Security Policy (CSP) headers to restrict script execution, and audit Islandora configuration to disable unnecessary user input fields or submission methods. Additionally, review access logs for suspicious input patterns and consider restricting Islandora access to authenticated users and trusted IP ranges until patching is complete.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15474
GHSA-jgfr-pvv6-mq43