Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS).

This issue affects Obfuscate: from 0.0.0 before 2.0.2.
Published: 2026-05-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input in the Drupal Obfuscate module allows attackers to inject malicious scripts into web pages that visitors load. This cross‑site scripting flaw gives an attacker the ability to run arbitrary JavaScript in the context of authenticated or unauthenticated users, potentially leading to credential theft, session hijacking, or defacement of the site. The vulnerability is rated as moderately critical by the CNA.

Affected Systems

All releases of the Obfuscate module from its initial 0.0.0 version up to, but not including, 2.0.2 are affected. This includes every pre‑2.0.2 build shipped by Drupal. No other product or vendor is impacted according to the available data.

Risk and Exploitability

The CVSS score is 6.1, but the CNA describes it as moderately critical, and the EPSS score is 0.00029, indicating a very low probability of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be remote through the web interface that processes user input via the module. With no publicly disclosed exploit code, the likelihood of exploitation remains uncertain, but the flaw permits arbitrary client‑side code execution if an attacker can supply crafted input.

Generated by OpenCVE AI on May 20, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Obfuscate module to version 2.0.2 or later.
  • Disable or remove the module if it is no longer required for site functionality.
  • Enable Drupal core XSS filtering or configure a strict Content Security Policy to mitigate potential injections.

Generated by OpenCVE AI on May 20, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-033 cve-icon cve-icon
History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 19 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal obfuscate
Vendors & Products Drupal
Drupal obfuscate

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2.
Title Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
Weaknesses CWE-79
References

Subscriptions

Drupal Obfuscate
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T13:22:00.513Z

Reserved: 2026-04-22T16:45:04.896Z

Link: CVE-2026-6871

cve-icon Vulnrichment

Updated: 2026-05-20T13:21:55.776Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T23:16:58.467

Modified: 2026-05-20T14:17:03.860

Link: CVE-2026-6871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T16:00:06Z

Weaknesses