Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.
Published: 2026-03-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Patch Now
AI Analysis

Impact

Improper neutralization of user input in the Drupal UI Icons module allows an attacker to inject arbitrary JavaScript code into web pages rendered with that module. A successful injection could lead to session hijacking, information disclosure, defacement, or redirecting users to malicious sites. The underlying weakness is a classic cross‑site scripting flaw (CWE‑79).

Affected Systems

Drupal UI Icons is affected. Versions from the initial release through the end of 1.0.0, and again from 1.1.0 up to the end of 1.1.0, contain the vulnerability. Any system running one of those versions should be considered at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1 % suggests the vulnerability is unlikely to be widely exploited in the near term. It is not listed in the CISA known exploited vulnerabilities catalog. Attackers can exploit the flaw remotely by submitting malicious payloads in input that is processed by the UI Icons component; the most likely vector is web‑based user input, though the exact details are not specified in the advisory.

Generated by OpenCVE AI on April 1, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drupal UI Icons to version 1.0.1 or later, or to version 1.1.1 or later.
  • If an upgrade cannot be performed immediately, uninstall or disable the UI Icons module to block potential exploitation.

Generated by OpenCVE AI on April 1, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-010 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Beyris
Beyris ui Icons
CPEs cpe:2.3:a:beyris:ui_icons:*:*:*:*:*:drupal:*:*
cpe:2.3:a:beyris:ui_icons:1.1.0:*:*:*:*:drupal:*:*
Vendors & Products Beyris
Beyris ui Icons

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal ui Icons
Vendors & Products Drupal
Drupal ui Icons

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.
Title UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
Weaknesses CWE-79
References

Subscriptions

Drupal Ui Icons
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-25T20:03:40.679Z

Reserved: 2026-02-11T15:48:45.648Z

Link: CVE-2026-2349

cve-icon Vulnrichment

Updated: 2026-03-25T20:03:37.158Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:21.660

Modified: 2026-03-31T19:20:28.953

Link: CVE-2026-2349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:15Z

Weaknesses