Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).
This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.
AnalysisAI
Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is insufficiently sanitized or escaped before being rendered as HTML in the browser. Colorbox Inline is a Drupal contributed module that enables inline content - typically text, HTML fragments, or media - to be displayed inside a Colorbox lightbox overlay without a full page reload. The vulnerability resides in how this module processes and outputs user-controlled data during web page generation, failing to neutralize HTML/JavaScript metacharacters. The CPE string cpe:2.3:a:drupal:colorbox_inline:*:*:*:*:*:*:*:* confirms the vulnerable component is the Drupal application-layer module itself, not Drupal core. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:C reflects the canonical stored or persistent XSS scenario: low-complexity network delivery, low-privilege write access to inject, and a separate victim interaction step for execution in a changed scope.
RemediationAI
Upgrade the Colorbox Inline Drupal module to version 2.1.1 or later, which contains the vendor-released patch as confirmed by Drupal security advisory SA-CONTRIB-2026-036 (https://www.drupal.org/sa-contrib-2026-036). Site administrators should run 'drush up colorbox_inline' or update via the Drupal admin UI under Manage > Update. If an immediate upgrade is not possible, a compensating control is to restrict the 'use Colorbox Inline' or equivalent content-editing permission to fully trusted users only, eliminating the low-privilege attacker vector (PR:L). This reduces risk but does not eliminate it for sites where trusted editors are untrusted from a security standpoint. Disabling the module entirely is the most conservative workaround if the feature is not actively used, with the trade-off of losing inline lightbox functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30990
GHSA-3mw4-ccpc-mvj9