Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting
Action: Patch Module
AI Analysis

Impact

This vulnerability is an improper neutralization of user‑supplied input during web page generation in Drupal Quick Edit. The flaw allows malicious JavaScript to be embedded in views rendered by the module, which could execute in the browser of anyone who accesses the affected content. The weakness is formally categorized as CWE‑79.

Affected Systems

The affected component is the Drupal Quick Edit module. All releases before 1.0.5, including the initial 0.0.0 launch, and all releases before 2.0.1 are vulnerable. Users of any earlier versions should verify whether they expose the module to the front‑end or other accessible interfaces.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score is reported as under 1 %, suggesting low current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is exploitation via the Quick Edit interface, which requires an authenticated user with edit privileges to inject the malicious payload. Based on the description, it is inferred that the injected script can run in the context of any user who views the edited content, potentially allowing them to perform unauthorized actions in that user’s browser.

Generated by OpenCVE AI on April 2, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Quick Edit module update (at least version 1.0.5 or 2.0.1).
  • If an update is not yet available, consider disabling the Quick Edit module until a patch is released.

Generated by OpenCVE AI on April 2, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-009 cve-icon cve-icon
History

Thu, 02 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wim-leers
Wim-leers quick Edit
CPEs cpe:2.3:a:wim-leers:quick_edit:*:*:*:*:*:drupal:*:*
cpe:2.3:a:wim-leers:quick_edit:2.0.0:*:*:*:*:drupal:*:*
Vendors & Products Wim-leers
Wim-leers quick Edit

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal quick Edit
Vendors & Products Drupal
Drupal quick Edit

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.
Title Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009
Weaknesses CWE-79
References

Subscriptions

Drupal Quick Edit
Wim-leers Quick Edit
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-26T14:32:07.043Z

Reserved: 2026-02-11T15:48:44.422Z

Link: CVE-2026-2348

cve-icon Vulnrichment

Updated: 2026-03-25T20:04:01.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:21.517

Modified: 2026-04-02T20:41:01.377

Link: CVE-2026-2348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:04Z

Weaknesses