Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
Published: 2026-03-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing an attacker to inject malicious script into a Drupal site that uses the Responsive Favicons module. A successful payload could cause a victim’s browser to execute attacker‑controlled code, potentially leading to theft of credentials, session hijacking or defacement. The weakness is a classic XSS flaw, scored CVSS 4.8, indicating moderate severity.

Affected Systems

Drupal users running the Responsive Favicons module in any version before 2.0.2 are affected. This includes all installations that have not yet upgraded from the initial release 0.0.0 to the patched 2.0.2 release.

Risk and Exploitability

The EPSS score is below 1%, implying a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically target victims by delivering a crafted favicon request or embedding malicious parameters in a URL that the module processes for rendering. No special privileges are required; the flaw operates in the context of the web application itself. The risk to a site depends on how exposed the module’s input is to untrusted users, but the overall threat level remains moderate.

Generated by OpenCVE AI on March 26, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an update to Drupal Responsive Favicons version 2.0.2 or later.
  • If an update is not immediately possible, disable or remove the Responsive Favicons module from the site.

Generated by OpenCVE AI on March 26, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-019 cve-icon cve-icon
History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal responsive Favicons
Vendors & Products Drupal
Drupal responsive Favicons

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
Title Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019
Weaknesses CWE-79
References

Subscriptions

Drupal Responsive Favicons
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-26T14:42:31.151Z

Reserved: 2026-02-25T17:19:35.631Z

Link: CVE-2026-3218

cve-icon Vulnrichment

Updated: 2026-03-25T19:59:04.392Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T16:16:23.050

Modified: 2026-03-26T15:16:40.943

Link: CVE-2026-3218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:47:00Z

Weaknesses