Skip to main content

Colorbox

3 CVEs product

Monthly

CVE-2026-58591 PHP MEDIUM PATCH This Month

Cross-site scripting in the Drupal Colorbox module allows an authenticated low-privileged attacker to inject malicious scripts that execute in the browser context of other users. The CVSS scope-change indicator (S:C) confirms this is likely stored XSS, where crafted input persists and executes when victims visit affected pages. No active exploitation is confirmed - EPSS sits at 0.20% (10th percentile) and the vulnerability is not listed in the CISA KEV catalog - but a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-069.

XSS Colorbox
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-3900 PHP MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).0.0 before 2.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Colorbox Drupal
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2015-7881 LOW PATCH Monitor

The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

Authentication Bypass Colorbox
NVD
CVSS 2.0
3.5
EPSS
0.1%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in the Drupal Colorbox module allows an authenticated low-privileged attacker to inject malicious scripts that execute in the browser context of other users. The CVSS scope-change indicator (S:C) confirms this is likely stored XSS, where crafted input persists and executes when victims visit affected pages. No active exploitation is confirmed - EPSS sits at 0.20% (10th percentile) and the vulnerability is not listed in the CISA KEV catalog - but a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-069.

XSS Colorbox
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).0.0 before 2.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Colorbox Drupal
NVD
EPSS 0% CVSS 3.5
LOW PATCH Monitor

The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

Authentication Bypass Colorbox
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy