The GDPR cookies module for Backdrop CMS contains an insufficient escaping bug that allows a malicious value entered into the optional "Info content" field of the YouTube service to be rendered without sanitization, leading to a cross‑site scripting flaw. An attacker must be able to create or edit a GDPR Cookies Service in order to supply the hazardous content, and the site must have a configured YouTube service for cookie handling. When these conditions are satisfied, arbitrary script can execute in the browser of any visitor who views a page that includes the affected service, potentially enabling session hijacking, data theft, or other client‑side attacks.

BackdropCMS installations that include the GDPR cookies module at any version preceding 1.x‑1.3.5 and that have a YouTube service configured for cookie handling are susceptible. Sites using the module version 1.x‑1.3.5 or later, or sites that have not enabled a YouTube service, are not impacted.

The CVSS score of 1.8 indicates low severity, and the vulnerability is not listed in the CISA KEV catalog. Because an attacker must possess the "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" permission—normally a privileged role—exploitation requires a prior compromise of administrative capabilities on the site. With these prerequisites the likelihood of widespread exploitation is limited, though any attacker who gains the necessary permissions can compromise all visitors to the affected pages.