Skip to main content

Drupal Canvas CVE-2026-58588

| EUVDEUVD-2026-43070 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-4jgx-vqf2-p9g9
6.1
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered XSS needs no attacker auth (PR:N) but requires victim interaction (UI:R); scope change (S:C) captures cross-context script execution in victim browser; no server-side confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:45 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
6.1 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.

AnalysisAI

Cross-site scripting in the Drupal Canvas contributed module enables remote attackers to inject and execute malicious scripts in the browsers of Drupal site visitors. Affecting multiple version branches - 0.0.0 through 1.4.2, 1.5.0 through 1.5.2, 1.6.0 through 1.6.1, and 1.7.0 through 1.7.1 - the flaw (CWE-79) stems from insufficient sanitization of user-supplied input before rendering it in generated web pages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site with Canvas module enabled
Delivery
Craft malicious URL embedding XSS payload in Canvas input
Exploit
Deliver link to victim via phishing or social engineering
Execution
Victim clicks link, browser renders unsanitized output
Persist
Injected script executes in victim's browser session
Impact
Exfiltrate session token or perform unauthorized admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Drupal site has the Canvas contributed module installed and enabled at a vulnerable version (0.0.0-<1.4.2, 1.5.0-<1.5.2, 1.6.0-<1.6.1, or 1.7.0-<1.7.1). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 (Medium) score is consistent with a reflected or stored XSS that requires user interaction (UI:R), which prevents automated, mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Drupal site running a vulnerable version of Drupal Canvas and crafts a URL containing an unsanitized script payload targeting a Canvas-rendered parameter. The attacker distributes this link via phishing email or a compromised third-party site targeting Drupal editors or administrators; when the victim clicks the link and the page loads, the injected script executes in their browser session, potentially exfiltrating session cookies or performing actions on the Drupal admin interface on the attacker's behalf.
Remediation A patch is available per vendor advisory - site administrators should consult the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-066 to identify the precise fixed release for their active version branch and upgrade accordingly; exact patched version numbers are not confirmed in the available data and must be verified in the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy