CVE-2026-3218 - Vulnerability Details

- Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019

Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.

Published: 2026-03-25

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The module contains a cross‑site scripting flaw due to improper input neutralization during page rendering. An attacker could inject malicious scripts that execute in the browsers of users viewing the affected pages. This could lead to client‑side compromise, such as session hijacking or data theft, but the scope is limited to the user’s browser. The weakness aligns with CWE‑79.

Affected Systems

Drupal sites that have the Responsive Favicons module installed in any release earlier than 2.0.2 are impacted. This includes initial 0.0.0 through 2.0.1. Any site that is still using those versions is vulnerable.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity. The EPSS score is below 1%, and the flaw is not listed in the CISA KEV catalog, suggesting that active exploitation is currently unlikely. The likely attack vector would require a user to view a page rendered by the module or submit data that is processed by it. If the module is publicly accessible, remote exploitation is plausible, but for sites that restrict access to authenticated users, the risk decreases. The attacker would need to supply crafted input that reaches the rendering path. No exploitation prerequisites beyond typical site access are noted in the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Drupal

Responsive Favicons

unaffected

Version	Status	Constraints
`0.0.0`	affected	< 2.0.2

Configuration 1 [-]

cpe:2.3:a:pixelite:responsive_favicons:*:*:*:*:*:drupal:*:*

No data.

Vendor Product Confidence Versions

Drupal

Responsive Favicons

100%

Version	Status	Scheme	Platform
`[0.0.0,2.0.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Responsive Favicons version 2.0.2 or later.
Confirm that no older versions of the module remain on the site.
If upgrade is not immediately possible, restrict access to pages using the module until a patch is applied.

Generated by OpenCVE AI on April 1, 2026 at 06:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.drupal.org/sa-contrib-2026-019

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pixelite Pixelite responsive Favicons
CPEs		cpe:2.3:a:pixelite:responsive_favicons::::::drupal::*
Vendors & Products		Pixelite Pixelite responsive Favicons

Thu, 26 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`	cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Drupal Drupal responsive Favicons
Vendors & Products		Drupal Drupal responsive Favicons

Wed, 25 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
Title		Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019
Weaknesses		CWE-79
References		https://www.drupal.org/sa-contrib-2026-019

Subscriptions

Drupal Responsive Favicons

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2026-03-25T15:24:55.196Z

Updated: 2026-03-26T14:42:31.151Z

Reserved: 2026-02-25T17:19:35.631Z

Link: CVE-2026-3218

Vulnrichment

Updated: 2026-03-25T19:59:04.392Z

NVD

Status : Analyzed

Published: 2026-03-25T16:16:23.050

Modified: 2026-03-31T19:25:57.340

Link: CVE-2026-3218

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:59:08Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object