Colorbox
Monthly
Cross-site scripting in the Drupal Colorbox module allows an authenticated low-privileged attacker to inject malicious scripts that execute in the browser context of other users. The CVSS scope-change indicator (S:C) confirms this is likely stored XSS, where crafted input persists and executes when victims visit affected pages. No active exploitation is confirmed - EPSS sits at 0.20% (10th percentile) and the vulnerability is not listed in the CISA KEV catalog - but a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-069.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).0.0 before 2.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting in the Drupal Colorbox module allows an authenticated low-privileged attacker to inject malicious scripts that execute in the browser context of other users. The CVSS scope-change indicator (S:C) confirms this is likely stored XSS, where crafted input persists and executes when victims visit affected pages. No active exploitation is confirmed - EPSS sits at 0.20% (10th percentile) and the vulnerability is not listed in the CISA KEV catalog - but a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-069.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).0.0 before 2.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.