Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
AnalysisAI
The Drupal Responsive Favicons module contains an improper input neutralization vulnerability that allows attackers to inject malicious JavaScript code into web pages (Cross-Site Scripting/XSS). All versions from 0.0.0 up to and including 2.0.1 are affected, with the vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score or EPSS probability metric is currently available, the vulnerability is documented in the official Drupal security advisory (SA-CONTRIB-2026-019) and has been assigned EUVD-2026-15479, indicating this is a confirmed security flaw requiring immediate patching.
Technical ContextAI
The Drupal Responsive Favicons module (identified via CPE cpe:2.3:a:drupal:responsive_favicons:*:*:*:*:*:*:*:*) is a Drupal contributed module designed to manage and serve favicon configurations across responsive web applications. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled or external input is not properly sanitized before being rendered into HTML/JavaScript contexts. In this case, the module fails to properly escape or neutralize favicon-related configuration data when generating HTML markup, allowing an attacker to break out of the intended data context and inject arbitrary JavaScript. This is a classic reflected or stored XSS vulnerability pattern where favicon metadata, URLs, or configuration parameters are passed unsanitized into the DOM.
RemediationAI
Immediately upgrade the Drupal Responsive Favicons module to version 2.0.2 or later by downloading the patched version from the Drupal project page or using Drupal's package manager (Composer). Apply the patch referenced in the official security advisory at https://www.drupal.org/sa-contrib-2026-019. As a temporary mitigation before patching is possible, implement a restrictive Content Security Policy (CSP) header that disallows inline JavaScript execution and limits script sources to trusted origins only. Additionally, review and audit favicon configuration settings within the module to identify and remove any potentially malicious payloads that may have already been injected. For high-risk installations, consider disabling the Responsive Favicons module entirely until patching is completed.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15479