Vulnerability from drupal
Published
2026-07-01 17:24
Modified
2026-07-01 18:36
Summary
Details
The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page.
The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios.
This vulnerability is mitigated by the fact that an attacker must have a role that permits them to enter HTML content.
Credits
Pierre Rudloff (prudloff)
www.drupal.org/u/prudloff
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003c 2.1.5 || 2.2.0"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/colorbox"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003c 2.1.5"
},
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.5"
}
],
"type": "ECOSYSTEM"
},
{
"database_specific": {
"constraint": "2.2.0"
},
"events": [
{
"introduced": "2.2.0"
},
{
"last_affected": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [
"CVE-2026-58591"
],
"credits": [
{
"contact": [
"https://www.drupal.org/u/prudloff"
],
"name": "Pierre Rudloff (prudloff)"
}
],
"details": "The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page.\n\nThe module doesn\u0027t sufficiently protect against injection of malicious JavaScript under certain scenarios.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role that permits them to enter HTML content.",
"id": "DRUPAL-CONTRIB-2026-069",
"modified": "2026-07-01T18:36:44.000Z",
"published": "2026-07-01T17:24:05.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-069"
}
],
"schema_version": "1.7.0"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…