Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS).
This issue affects Orejime: from 0.0.0 before 2.0.16.
AnalysisAI
Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.
Technical ContextAI
Orejime is a Drupal contributed module implementing GDPR/cookie-consent banner functionality (CWE-79: Improper Neutralization of Input During Web Page Generation). The CPE string cpe:2.3:a:drupal:orejime:*:*:*:*:*:*:*:* covers all versions prior to 2.0.16. The root cause is insufficient sanitization or escaping of user-controlled input before it is reflected or stored and rendered in the browser's DOM - a classic CWE-79 pattern. The changed scope (S:C) in the CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N vector signals the payload executes in a context that differs from where the injection point resides, which for a site-wide cookie consent component could mean the injected script affects rendering across multiple pages or origins. This is consistent with a widget that persists user preferences in storage and re-renders them on subsequent page loads.
RemediationAI
Upgrade Drupal Orejime to version 2.0.16 or later, which is the vendor-released patch per Drupal security advisory SA-contrib-2026-032 (https://www.drupal.org/sa-contrib-2026-032). The fix version 2.0.16 is confirmed as the boundary in the affected versions data (0.0.0 before 2.0.16). If an immediate upgrade is not feasible, a compensating control is to temporarily disable the Orejime module in Drupal's module administration until patching is possible - note this will remove the cookie consent banner, which may have GDPR compliance implications. Restricting access to any Orejime configuration pages to authenticated administrators reduces the input surface but does not eliminate risk if the injection point is in user-facing banner parameters. There is no evidence that WAF rules for generic XSS payloads would reliably block exploitation without the vendor patch given the module-specific injection context.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30997
GHSA-6g8q-jh52-g228