Skip to main content

Quick Edit EUVDEUVD-2026-15451

| CVE-2026-2348 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 drupal GHSA-vmwp-f54q-chhh
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15451
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:20 nvd
MEDIUM 5.4

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability exists in Drupal Quick Edit due to improper neutralization of user input during web page generation. This vulnerability affects Quick Edit versions 0.0.0 through 1.0.4 and versions 2.0.0 through 2.0.0, allowing attackers to inject malicious scripts that execute in the context of authenticated users' browsers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been disclosed by the Drupal security team with patches available for affected versions.

Technical ContextAI

Drupal Quick Edit is a core/contributed module that provides in-place editing capabilities for content fields without requiring users to navigate to a separate edit form. The vulnerability stems from inadequate input sanitization when rendering editable content regions on the page, specifically failing to properly escape or neutralize user-supplied input before it is inserted into the HTML DOM during the quick edit interface generation. This is a classic CWE-79 (Cross-site Scripting) vulnerability where untrusted data flows directly into the page output without validation or encoding. The affected CPE entry (cpe:2.3:a:drupal:quick_edit:*:*:*:*:*:*:*:*) encompasses all Quick Edit module versions across all Drupal installations, making this a broad-impact vulnerability affecting any site using the module in vulnerable versions.

RemediationAI

Immediately upgrade Drupal Quick Edit to version 1.0.5 or later for the 1.x branch, or to version 2.0.1 or later for the 2.x branch. Consult the official Drupal security advisory at https://www.drupal.org/sa-contrib-2026-009 for detailed patching instructions specific to your Drupal version. As a temporary mitigation for systems that cannot be patched immediately, restrict access to the Quick Edit interface by disabling the module or using Drupal's permission system to limit quick edit capabilities to highly trusted administrative users only. Additionally, implement Content Security Policy (CSP) headers to restrict script execution and reduce the impact of any injected XSS payloads. Review access logs and user activity for signs of exploitation, particularly targeting administrative and editor accounts.

Share

EUVD-2026-15451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy