Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered XSS needs no attacker auth (PR:N) but requires victim interaction (UI:R); scope change (S:C) captures cross-context script execution in victim browser; no server-side confidentiality or availability impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
AnalysisAI
Cross-site scripting in the Drupal Canvas contributed module enables remote attackers to inject and execute malicious scripts in the browsers of Drupal site visitors. Affecting multiple version branches - 0.0.0 through 1.4.2, 1.5.0 through 1.5.2, 1.6.0 through 1.6.1, and 1.7.0 through 1.7.1 - the flaw (CWE-79) stems from insufficient sanitization of user-supplied input before rendering it in generated web pages. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Drupal site has the Canvas contributed module installed and enabled at a vulnerable version (0.0.0-<1.4.2, 1.5.0-<1.5.2, 1.6.0-<1.6.1, or 1.7.0-<1.7.1). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 (Medium) score is consistent with a reflected or stored XSS that requires user interaction (UI:R), which prevents automated, mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Drupal site running a vulnerable version of Drupal Canvas and crafts a URL containing an unsanitized script payload targeting a Canvas-rendered parameter. The attacker distributes this link via phishing email or a compromised third-party site targeting Drupal editors or administrators; when the victim clicks the link and the page loads, the injected script executes in their browser session, potentially exfiltrating session cookies or performing actions on the Drupal admin interface on the attacker's behalf. |
| Remediation | A patch is available per vendor advisory - site administrators should consult the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-066 to identify the precise fixed release for their active version branch and upgrade accordingly; exact patched version numbers are not confirmed in the available data and must be verified in the advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Drupal Canvas
View allCross-site scripting in the Drupal Canvas contributed module allows unauthenticated remote attackers to inject and execu
A Server-Side Request Forgery (SSRF) vulnerability exists in Drupal Canvas versions prior to 1.1.1, allowing attackers t
Improper authorization controls in Drupal Canvas versions before 1.0.4 enable attackers to bypass access restrictions an
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43070
GHSA-4jgx-vqf2-p9g9