Skip to main content

Drupal Obfuscate CVE-2026-6871

| EUVD-2026-30988 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 drupal GHSA-rg7p-g694-c73p
XSS Obfuscate
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 14:26 vuln.today
CVSS changed
May 20, 2026 - 14:22 NVD
6.1 (MEDIUM)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:28 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS).

This issue affects Obfuscate: from 0.0.0 before 2.0.2.

AnalysisAI

Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted XSS payload to Obfuscate-processed content field
Delivery
Module fails to sanitize input on render
Exploit
Malicious script embedded in generated HTML
Execution
Victim user loads affected page
Persist
Script executes in victim's browser context
Impact
Session token exfiltration or unauthorized action performed
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Drupal site has the Obfuscate contributed module installed and enabled at a version between 0.0.0 and before 2.0.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 medium score reflects a network-reachable (AV:N), low-complexity (AC:L), no-privilege-required (PR:N) vulnerability that still demands user interaction (UI:R) to trigger, limiting opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a content item (such as a node or field value) containing a crafted XSS payload through a publicly accessible form on a Drupal site running the vulnerable Obfuscate module. When an authenticated user - such as a site administrator or editor - navigates to a page that renders the obfuscated content, the injected script executes in their browser, potentially exfiltrating their session cookie or performing administrative actions on their behalf. …
Remediation Update the Drupal Obfuscate module to version 2.0.2 or later, as confirmed by the vendor patch available through Drupal Security Advisory SA-CONTRIB-2026-033 (https://www.drupal.org/sa-contrib-2026-033). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6871 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy