{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2348", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-11T15:48:44.422Z", "datePublished": "2026-03-25T15:20:53.201Z", "dateUpdated": "2026-03-26T14:32:07.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:53.201Z"}, "title": "Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009", "datePublic": "2026-02-11T16:53:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Quick Edit", "collectionURL": "https://www.drupal.org/project/quickedit", "repo": "https://git.drupalcode.org/project/quickedit", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.5", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).<p>This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-009"}], "credits": [{"lang": "en", "value": "Drew Webber (mcdruid)", "type": "finder"}, {"lang": "en", "value": "Derek Wright (dww)", "type": "remediation developer"}, {"lang": "en", "value": "Vladimir Roudakov (vladimiraus)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:03:51.458683Z", "id": "CVE-2026-2348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:32:07.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:03:51.458683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:04:01.752Z"}}], "cna": {"title": "Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Derek Wright (dww)"}, {"lang": "en", "type": "remediation developer", "value": "Vladimir Roudakov (vladimiraus)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/quickedit", "vendor": "Drupal", "product": "Quick Edit", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.5", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.1", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/quickedit", "defaultStatus": "unaffected"}], "datePublic": "2026-02-11T16:53:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-009"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).<p>This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:53.201Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2348", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:32:07.043Z", "dateReserved": "2026-02-11T15:48:44.422Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:20:53.201Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1."}], "id": "CVE-2026-2348", "lastModified": "2026-03-26T15:16:36.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.517", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-009"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "quick_edit", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T22:06:45.178367+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal Quick Edit to version 1.0.5 or newer. If using the 2.x branch, upgrade to release 2.0.1 or newer. If an upgrade is not immediately possible, disable Quick Edit until a patched version can be installed."], "summary": {"action": "Patch Now", "impact": "Cross-site Scripting that can execute client-side scripts"}, "threat_synthesis": {"affected_systems": "Drupal Quick Edit is affected for all releases from 0.0.0 up to, but not including, 1.0.5 and from 2.0.0 up to, but not including, 2.0.1. Any site deploying these versions is at risk.", "description_and_impact": "The Drupal Quick Edit module allows an attacker to inject malicious JavaScript because it does not properly escape user-supplied input during web page rendering. An injected script runs in the context of any user who views the affected content, enabling session hijacking, credential theft, or defacement of the site.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. Evidence for how the exploit can be launched is not explicitly provided in the advisory, but based on the description, the likely attack vector is local through the Quick Edit interface for privileged users or potentially remote if an attacker can trick a user into loading a crafted page containing the malicious script. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation may still be possible but is not widespread.\nThe risk is mainly to the confidentiality and integrity of user sessions and to the availability of the site when widespread defacement occurs."}}}}, "created": "2026-03-26T11:43:01.985734+00:00", "updated": "2026-03-26T12:13:23.404866+00:00", "vendors": ["drupal", "drupal$PRODUCT$quick_edit"]}