Skip to main content

Drupal Colorbox Inline EUVDEUVD-2026-30990

| CVE-2026-8493 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 drupal GHSA-3mw4-ccpc-mvj9
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:25 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
5.4 (MEDIUM)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:29 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).

This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.

AnalysisAI

Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is insufficiently sanitized or escaped before being rendered as HTML in the browser. Colorbox Inline is a Drupal contributed module that enables inline content - typically text, HTML fragments, or media - to be displayed inside a Colorbox lightbox overlay without a full page reload. The vulnerability resides in how this module processes and outputs user-controlled data during web page generation, failing to neutralize HTML/JavaScript metacharacters. The CPE string cpe:2.3:a:drupal:colorbox_inline:*:*:*:*:*:*:*:* confirms the vulnerable component is the Drupal application-layer module itself, not Drupal core. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:C reflects the canonical stored or persistent XSS scenario: low-complexity network delivery, low-privilege write access to inject, and a separate victim interaction step for execution in a changed scope.

RemediationAI

Upgrade the Colorbox Inline Drupal module to version 2.1.1 or later, which contains the vendor-released patch as confirmed by Drupal security advisory SA-CONTRIB-2026-036 (https://www.drupal.org/sa-contrib-2026-036). Site administrators should run 'drush up colorbox_inline' or update via the Drupal admin UI under Manage > Update. If an immediate upgrade is not possible, a compensating control is to restrict the 'use Colorbox Inline' or equivalent content-editing permission to fully trusted users only, eliminating the low-privilege attacker vector (PR:L). This reduces risk but does not eliminate it for sites where trusted editors are untrusted from a security standpoint. Disabling the module entirely is the most conservative workaround if the feature is not actively used, with the trade-off of losing inline lightbox functionality.

Share

EUVD-2026-30990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy