{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2349", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-11T15:48:45.648Z", "datePublished": "2026-03-25T15:21:28.488Z", "dateUpdated": "2026-03-25T20:03:40.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:28.488Z"}, "title": "UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010", "datePublic": "2026-02-11T16:54:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "UI Icons", "collectionURL": "https://www.drupal.org/project/ui_icons", "repo": "https://git.drupalcode.org/project/ui_icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.1", "versionType": "semver"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).<p>This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-010"}], "credits": [{"lang": "en", "value": "Drew Webber (mcdruid)", "type": "finder"}, {"lang": "en", "value": "Jean Valverde (mogtofu33)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:03:26.630487Z", "id": "CVE-2026-2349", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:03:40.679Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:03:26.630487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:03:37.158Z"}}], "cna": {"title": "UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Jean Valverde (mogtofu33)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ui_icons", "vendor": "Drupal", "product": "UI Icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.1", "versionType": "semver"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.1", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ui_icons", "defaultStatus": "unaffected"}], "datePublic": "2026-02-11T16:54:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-010"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).<p>This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:28.488Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2349", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:03:40.679Z", "dateReserved": "2026-02-11T15:48:45.648Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:21:28.488Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1."}], "id": "CVE-2026-2349", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.660", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-010"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.0.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,1.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UI Icons", "source": "cna", "vendor": "Drupal"}, "product": "ui_icons", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T21:42:19.657076+00:00", "value": {"mitigation_remediation": ["Apply the latest Drupal UI Icons update (v1.0.1 or v1.1.1 and later).", "Verify the installed module version is at least v1.0.1 or v1.1.1.", "If an immediate update is not possible, restrict UI Icon input to safe, sanitized values or disable the UI Icons module until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Drupal UI Icons is vulnerable in all releases prior to 1.0.1 (including 0.0.0 to 1.0.0) and in the 1.1.x series before 1.1.1. Any Drupal site using GUI icons from these versions should verify the current module version and update if necessary.", "description_and_impact": "A cross\u2011site scripting vulnerability in the Drupal UI Icons module allows an attacker to inject arbitrary JavaScript into web pages that render UI icons. The vulnerability is caused by failure to neutralize input data, enabling malicious script execution in the victim\u2019s browser. Successful exploitation can lead to cookie theft, session hijacking, defacement of content, or phishing attacks, compromising confidentiality and integrity of web data and eroding user trust.", "risk_and_exploitability": "The base CVSS score of 6.1 indicates a moderate severity. The lack of an EPSS score and no presence in the CISA KEV catalog suggests the exploit is not yet widely used, but the vulnerability is publicly known and easily testable. Exploitation requires an attacker to supply crafted icon input that contains malicious script, which is rendered in the user's browser, implying a user\u2010visible, local\u2011only vector."}}}}, "created": "2026-03-25T21:48:05.124596+00:00", "updated": "2026-03-26T11:43:01.025518+00:00", "vendors": ["drupal", "drupal$PRODUCT$ui_icons"]}