Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.
This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
AnalysisAI
Resource Location Spoofing in the Drupal 'Translate Drupal with GTranslate' module (versions 0.0.0 through before 3.0.5) allows a high-privileged authenticated attacker to modify data the module treats as immutable, enabling redirection of translation resource locations. Exploitation requires network access but demands administrator-level privileges, yielding only low integrity impact with no confidentiality or availability consequences. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating negligible exploitation interest at this time.
Technical ContextAI
The affected component is the Drupal contributed module 'Translate Drupal with GTranslate' (CPE: cpe:2.3:a:drupal:translate_drupal_with_gtranslate:*:*:*:*:*:*:*:*), which integrates the GTranslate cloud translation service into Drupal CMS sites. The root cause is CWE-471 (Modification of Assumed-Immutable Data, MAID): the module treats certain configuration or data values - likely translation service endpoint URLs or resource locators - as fixed and trustworthy at runtime, but fails to enforce immutability with adequate access controls. An authorized privileged user can alter these values, causing the module to reference attacker-controlled or spoofed resource locations. The CVSS integrity-only impact (I:L, C:N, A:N) and the advisory tag 'Resource Location Spoofing' together suggest this is a configuration-plane integrity issue rather than a code execution or data exfiltration path. Note: the intelligence tag labels this 'Information Disclosure', which conflicts with the description's 'Resource Location Spoofing' framing - the Drupal advisory at https://www.drupal.org/sa-contrib-2026-035 should be consulted to resolve this discrepancy.
RemediationAI
Upgrade the Translate Drupal with GTranslate module to version 3.0.5 or later, as confirmed by the vendor advisory at https://www.drupal.org/sa-contrib-2026-035 (patch available per vendor). If an immediate upgrade is not feasible, restrict administrative access to the module's configuration pages by auditing and reducing the number of accounts holding the relevant high-privilege Drupal roles, since PR:H means only privileged users can trigger this issue. Drupal's built-in permission system can be used to limit access to translation configuration. These compensating controls reduce insider-threat exposure but do not eliminate the underlying MAID flaw and should be treated as temporary measures only.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30989
GHSA-p6f3-29pv-cj66