{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0749", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-08T19:51:10.879Z", "datePublished": "2026-01-28T18:56:05.806Z", "dateUpdated": "2026-01-28T19:12:36.742Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/form_builder", "defaultStatus": "unaffected", "packageName": "Form Builder", "product": "Drupal", "repo": "https://git.drupalcode.org/project/form_builder", "vendor": "Drupal", "versions": [{"lessThanOrEqual": "7.x-1.22", "status": "affected", "version": "7.x-1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Yonatan Offek (poiu)"}], "datePublic": "2025-05-14T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).<p>This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-01-28T18:56:05.806Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0749"}, {"tags": ["third-party-advisory"], "url": "https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Scripting Vulnerability in Drupal Form Builder Module", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T19:12:13.895295Z", "id": "CVE-2026-0749", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:12:36.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0749", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T19:12:13.895295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T19:12:30.419Z"}}], "cna": {"title": "Cross-Site Scripting Vulnerability in Drupal Form Builder Module", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Yonatan Offek (poiu)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/form_builder", "vendor": "Drupal", "product": "Drupal", "versions": [{"status": "affected", "version": "7.x-1.0", "versionType": "custom", "lessThanOrEqual": "7.x-1.22"}], "packageName": "Form Builder", "collectionURL": "https://www.drupal.org/project/form_builder", "defaultStatus": "unaffected"}], "datePublic": "2025-05-14T07:00:00.000Z", "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0749", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).<p>This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-01-28T18:56:05.806Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0749", "state": "PUBLISHED", "dateUpdated": "2026-01-28T19:12:36.742Z", "dateReserved": "2026-01-08T19:51:10.879Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-01-28T18:56:05.806Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silence:form_builder:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "DEA5783B-D89C-4DFB-9B1D-729B058DCDF4", "versionEndIncluding": "7.x-1.22", "versionStartIncluding": "7.x-1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Drupal Form Builder permite cross-site scripting (XSS).Este problema afecta a Drupal: desde 7.X-1.0 hasta 7.X-1.22."}], "id": "CVE-2026-0749", "lastModified": "2026-03-09T14:39:22.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mlhess@drupal.org", "type": "Secondary"}]}, "published": "2026-01-28T19:16:24.453", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting"}, {"source": "mlhess@drupal.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0749"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:40:03.179519+00:00", "value": {"mitigation_remediation": ["Apply any available official update for the Drupal Form Builder module that resolves the XSS flaw.", "If an update is unavailable, disable or uninstall the Form Builder module to prevent exposure.", "Review and sanitize any custom form inputs to ensure special characters are escaped before rendering."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal Form Builder module versions 7.X\u20111.0 through 7.X\u20111.22. Administrators should verify whether their sites run any of these versions and apply updates accordingly.", "description_and_impact": "An improper neutralization of input during web page generation, identified as a Cross\u2011Site Scripting (XSS) flaw, allows attackers to inject arbitrary script into pages rendered by the Drupal Form Builder module. The consequence is that a malicious script can execute in the browser context of any user who views the affected form, potentially leading to session hijacking, data theft, or defacement. The weakness is classed under CWE\u201179 and carries a CVSS score of 4.8.", "risk_and_exploitability": "With a moderate CVSS score and an EPSS of less than 1%, exploitation is possible but not highly likely to occur in the wild. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation typically requires an attacker to supply crafted input via the form builder interface, which is then reflected without proper escaping. There are no reported public exploits, but the low EPSS does not eliminate risk, especially in sites with public-facing forms."}}}}, "created": "2026-01-29T09:08:59.960656+00:00", "updated": "2026-04-18T14:45:03.139146+00:00", "vendors": ["drupal", "drupal$PRODUCT$drupal"]}