Skip to main content

Advanced Content Feedback Aka Admin Feedback

2 CVEs product

Monthly

CVE-2026-13232 PHP LOW PATCH Monitor

Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.

Authentication Bypass Advanced Content Feedback Aka Admin Feedback
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-13231 PHP MEDIUM PATCH This Month

Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. No public exploit code has been identified and CISA has not added this to KEV; EPSS at 0.16% (6th percentile) and SSVC's 'exploitation: none' classification confirm this is a low-urgency finding with no evidence of active targeting.

XSS Advanced Content Feedback Aka Admin Feedback
NVD
CVSS 3.1
6.1
EPSS
0.2%
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.

Authentication Bypass Advanced Content Feedback Aka Admin Feedback
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. No public exploit code has been identified and CISA has not added this to KEV; EPSS at 0.16% (6th percentile) and SSVC's 'exploitation: none' classification confirm this is a low-urgency finding with no evidence of active targeting.

XSS Advanced Content Feedback Aka Admin Feedback
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy