Skip to main content

Responsive Favicons EUVDEUVD-2026-15479

| CVE-2026-3218 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 drupal
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15479
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:24 nvd
MEDIUM 4.8

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.

AnalysisAI

The Drupal Responsive Favicons module contains an improper input neutralization vulnerability that allows attackers to inject malicious JavaScript code into web pages (Cross-Site Scripting/XSS). All versions from 0.0.0 up to and including 2.0.1 are affected, with the vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score or EPSS probability metric is currently available, the vulnerability is documented in the official Drupal security advisory (SA-CONTRIB-2026-019) and has been assigned EUVD-2026-15479, indicating this is a confirmed security flaw requiring immediate patching.

Technical ContextAI

The Drupal Responsive Favicons module (identified via CPE cpe:2.3:a:drupal:responsive_favicons:*:*:*:*:*:*:*:*) is a Drupal contributed module designed to manage and serve favicon configurations across responsive web applications. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled or external input is not properly sanitized before being rendered into HTML/JavaScript contexts. In this case, the module fails to properly escape or neutralize favicon-related configuration data when generating HTML markup, allowing an attacker to break out of the intended data context and inject arbitrary JavaScript. This is a classic reflected or stored XSS vulnerability pattern where favicon metadata, URLs, or configuration parameters are passed unsanitized into the DOM.

RemediationAI

Immediately upgrade the Drupal Responsive Favicons module to version 2.0.2 or later by downloading the patched version from the Drupal project page or using Drupal's package manager (Composer). Apply the patch referenced in the official security advisory at https://www.drupal.org/sa-contrib-2026-019. As a temporary mitigation before patching is possible, implement a restrictive Content Security Policy (CSP) header that disallows inline JavaScript execution and limits script sources to trusted origins only. Additionally, review and audit favicon configuration settings within the module to identify and remove any potentially malicious payloads that may have already been injected. For high-risk installations, consider disabling the Responsive Favicons module entirely until patching is completed.

Share

EUVD-2026-15479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy