Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).

This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.
Published: 2026-05-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Drupal Colorbox Inline contains an improperly neutralized input during web page generation flaw that allows attackers to inject arbitrary HTML or JavaScript when the module renders content. The vulnerability can lead to execution of JavaScript in the context of the victim’s browser, enabling session hijacking, credential theft, or malicious site defacement. The weakness is a classic XSS defect, identified as CWE-79, and the impact is limited to the scope of the Drupal installation that loads the Colorbox Inline plugin.

Affected Systems

The flaw affects all installations of the Colorbox Inline module with version numbers from 0.0.0 up to, but not including, 2.1.1. Any Drupal site that has not upgraded past 2.1.0 remains vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector is a reflected or stored XSS that can be triggered by loading a crafted page or content entry containing malicious input. The CVSS score of 5.4 classifies the vulnerability as moderately critical, and the EPSS score of less than 1% indicates a low probability of exploitation. The flaw can be exploited by an attacker who can influence the content that Colorbox Inline displays, for example by creating a link or posting a comment with injected payloads. Hosting the Drupal site without restricting unauthenticated content injection or employing adequate input filtering increases the risk of exploitation.

Generated by OpenCVE AI on May 20, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Colorbox Inline module to version 2.1.1 or later
  • If an upgrade is not immediately possible, disable the Colorbox Inline module or remove it from any pages where untrusted content could be rendered
  • Apply a generic XSS filter or content sanitation layer to user‑supplied content before it is passed to the Colorbox Inline renderer

Generated by OpenCVE AI on May 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-036 cve-icon cve-icon
History

Wed, 20 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal colorbox Inline
Vendors & Products Drupal
Drupal colorbox Inline

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.
Title Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036
Weaknesses CWE-79
References

Subscriptions

Drupal Colorbox Inline
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T16:35:50.626Z

Reserved: 2026-05-13T15:43:29.219Z

Link: CVE-2026-8493

cve-icon Vulnrichment

Updated: 2026-05-20T16:16:41.839Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T23:16:58.987

Modified: 2026-05-20T18:16:28.287

Link: CVE-2026-8493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:30:36Z

Weaknesses