Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.
AnalysisAI
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Quick Edit due to improper neutralization of user input during web page generation. This vulnerability affects Quick Edit versions 0.0.0 through 1.0.4 and versions 2.0.0 through 2.0.0, allowing attackers to inject malicious scripts that execute in the context of authenticated users' browsers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been disclosed by the Drupal security team with patches available for affected versions.
Technical ContextAI
Drupal Quick Edit is a core/contributed module that provides in-place editing capabilities for content fields without requiring users to navigate to a separate edit form. The vulnerability stems from inadequate input sanitization when rendering editable content regions on the page, specifically failing to properly escape or neutralize user-supplied input before it is inserted into the HTML DOM during the quick edit interface generation. This is a classic CWE-79 (Cross-site Scripting) vulnerability where untrusted data flows directly into the page output without validation or encoding. The affected CPE entry (cpe:2.3:a:drupal:quick_edit:*:*:*:*:*:*:*:*) encompasses all Quick Edit module versions across all Drupal installations, making this a broad-impact vulnerability affecting any site using the module in vulnerable versions.
RemediationAI
Immediately upgrade Drupal Quick Edit to version 1.0.5 or later for the 1.x branch, or to version 2.0.1 or later for the 2.x branch. Consult the official Drupal security advisory at https://www.drupal.org/sa-contrib-2026-009 for detailed patching instructions specific to your Drupal version. As a temporary mitigation for systems that cannot be patched immediately, restrict access to the Quick Edit interface by disabling the module or using Drupal's permission system to limit quick edit capabilities to highly trusted administrative users only. Additionally, implement Content Security Policy (CSP) headers to restrict script execution and reduce the impact of any injected XSS payloads. Review access logs and user activity for signs of exploitation, particularly targeting administrative and editor accounts.
More in Quick Edit
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15451
GHSA-vmwp-f54q-chhh