Improper neutralization of input during web page generation in the Drupal Anti‑Spam by CleanTalk module lets an attacker inject malicious JavaScript into pages rendered for site users. The injected script runs in victims’ browsers, potentially allowing an attacker to steal session cookies, execute arbitrary client‑side code, or deface page content. This flaw does not provide persistent server‑side code execution or direct control of the Drupal core, but it can compromise the confidentiality and integrity of user data and degrade the user experience.

The vulnerability affects every released copy of the Anti‑Spam by CleanTalk module from its inception at version 0.0.0 up through, but excluding, 9.7.0. Any Drupal installation that has the module enabled and has not applied the 9.7.0 update is susceptible.

The CVSS base score of 4.7 classifies this issue as Medium severity, while the EPSS score of less than 1% indicates a low likelihood of automated exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread exploitation has been documented. Attackers can exploit the flaw by submitting crafted payloads through any input field handled by the module, requiring only normal web access and no privileged credentials. Successful exploitation would result in client‑side script execution for users who view the affected page.