Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS).

This issue affects Orejime: from 0.0.0 before 2.0.16.
Published: 2026-05-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that permits execution of arbitrary JavaScript when a page is rendered. An attacker who can inject data into Orejime content could cause victim browsers to run malicious scripts, potentially stealing session cookies, executing actions on behalf of the user, or defacing the site. The flaw arises from lack of output encoding in the page generation code, a classic input validation weakness identified as CWE‑79.

Affected Systems

Drupal Orejime modules prior to version 2.0.16 are affected; versions from 0.0.0 up to and including 2.0.15 contain the flaw.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation reports. Cross‑site scripting remains a high‑risk web‑application flaw. The likely attack vector involves submitting malicious input via Orejime content fields that are rendered without proper sanitization, as inferred from the description; the flaw can be triggered by any user who can write or edit Orejime content.

Generated by OpenCVE AI on May 20, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orejime to version 2.0.16 or later, which removes the input sanitization vulnerability.
  • Ensure that all user‑generated content is properly sanitized or encoded; consider enabling Drupal’s built‑in HTML filtering.
  • Apply the official patch or update as listed in the Drupal SA‑CONTRIB‑2026‑032 advisory.

Generated by OpenCVE AI on May 20, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-032 cve-icon cve-icon
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal orejime
Vendors & Products Drupal
Drupal orejime

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16.
Title Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032
Weaknesses CWE-79
References

Subscriptions

Drupal Orejime
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T13:35:49.029Z

Reserved: 2026-04-10T16:50:48.630Z

Link: CVE-2026-6095

cve-icon Vulnrichment

Updated: 2026-05-20T13:35:38.746Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T23:16:57.970

Modified: 2026-05-20T14:17:03.207

Link: CVE-2026-6095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:30:33Z

Weaknesses