{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3218", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T17:19:35.631Z", "datePublished": "2026-03-25T15:24:55.196Z", "dateUpdated": "2026-03-25T19:59:09.359Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:55.196Z"}, "title": "Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019", "datePublic": "2026-02-25T18:51:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Responsive Favicons", "collectionURL": "https://www.drupal.org/project/responsive_favicons", "repo": "https://git.drupalcode.org/project/responsive_favicons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).<p>This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-019"}], "credits": [{"lang": "en", "value": "Simon B\u00c3\u00a4se (simonbaese)", "type": "finder"}, {"lang": "en", "value": "Frank Mably (mably)", "type": "remediation developer"}, {"lang": "en", "value": "Sean Hamlin (wiifm)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:58:52.195330Z", "id": "CVE-2026-3218", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:59:09.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3218", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:58:52.195330Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:59:04.392Z"}}], "cna": {"title": "Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Simon B\u00c3\u00a4se (simonbaese)"}, {"lang": "en", "type": "remediation developer", "value": "Frank Mably (mably)"}, {"lang": "en", "type": "remediation developer", "value": "Sean Hamlin (wiifm)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/responsive_favicons", "vendor": "Drupal", "product": "Responsive Favicons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/responsive_favicons", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:51:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-019"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).<p>This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:55.196Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3218", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:59:09.359Z", "dateReserved": "2026-02-25T17:19:35.631Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:24:55.196Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2."}], "id": "CVE-2026-3218", "lastModified": "2026-03-25T20:16:35.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:23.050", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-019"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T16:20:18.802684+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal Responsive Favicons to version 2.0.2 or newer"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Drupal Responsive Favicons is impacted in all releases before version 2.0.2. This includes any site that has installed or enabled the module in an older version. No additional version granularity is supplied, so all users of pre\u20112.0.2 should assume the module is vulnerable.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation that permits Cross\u2011Site Scripting in Drupal Responsive Favicons. An attacker can inject malicious JavaScript into pages rendered by the module, potentially allowing theft of session cookies, defacement of the site, or execution of arbitrary client\u2011side code as the visiting user. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVE is tagged as moderately critical, but there is no EPSS score or KEV listing, leaving exploitation probability uncertain. The attack likely occurs when a user requests a page that includes the module\u2019s output. An attacker could craft a malicious link or inject content that triggers the vulnerable code path. Because the flaw is client\u2011side, it can affect any user browsing the affected site."}}}}, "created": "2026-03-25T21:30:59.163767+00:00", "updated": "2026-03-25T21:30:59.163793+00:00", "vendors": []}