{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0946", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-14T16:52:30.774Z", "datePublished": "2026-02-04T20:25:39.200Z", "dateUpdated": "2026-02-06T20:35:38.434Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/atsmarttag", "defaultStatus": "unaffected", "product": "AT Internet SmartTag", "repo": "https://git.drupalcode.org/project/atsmarttag", "vendor": "Drupal", "versions": [{"lessThan": "1.0.1", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Frank Mably (mably)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "datePublic": "2026-01-14T17:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).<p>This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:25:39.200Z"}, "references": [{"url": "https://www.drupal.org/sa-contrib-2026-003"}], "source": {"discovery": "UNKNOWN"}, "title": "AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T20:35:19.832501Z", "id": "CVE-2026-0946", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T20:35:38.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0946", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T20:35:19.832501Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T20:35:34.895Z"}}], "cna": {"title": "AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Frank Mably (mably)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/atsmarttag", "vendor": "Drupal", "product": "AT Internet SmartTag", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.1", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/atsmarttag", "defaultStatus": "unaffected"}], "datePublic": "2026-01-14T17:55:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-003"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).<p>This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:25:39.200Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0946", "state": "PUBLISHED", "dateUpdated": "2026-02-06T20:35:38.434Z", "dateReserved": "2026-01-14T16:52:30.774Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-02-04T20:25:39.200Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bordeaux-metropole:at_internet_smarttag:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "E5AFD944-F23F-4D08-8A30-EDD41959D13A", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1."}], "id": "CVE-2026-0946", "lastModified": "2026-02-11T19:19:34.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-04T21:15:58.907", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-003"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:14:51.567372+00:00", "value": {"mitigation_remediation": ["Update Drupal AT Internet SmartTag to version 1.0.1 or later, which removes the XSS flaw", "Validate and escape all user\u2011supplied input before it is rendered by the module, following best practices for web output encoding", "If an update cannot be applied immediately, disable or uninstall the SmartTag module to eliminate the attack surface"], "summary": {"action": "Patch", "impact": "Cross-site Scripting"}, "threat_synthesis": {"affected_systems": "Drupal A.T. Internet SmartTag is affected from version 0.0.0 up to, but not including, 1.0.1. The module\u2019s functionality applies to any Drupal site that has the SmartTag module installed within that version range.", "description_and_impact": "This vulnerability arises from improper neutralization of user input when generating a web page, allowing an attacker to inject malicious scripts into pages served by the Drupal AT Internet SmartTag module. The injected scripts execute in the context of the victim\u2019s browser, potentially enabling session hijacking, credential theft, or defacement of the site. The weakness corresponds to CWE-79, which focuses on inadequate input filtering or output encoding.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not flagged in the CISA Known Exploit Vulnerabilities catalogue. Attackers would need to provide crafted input to the SmartTag module\u2014most likely via exposed parameters or content fields\u2014to trigger the XSS. Because the flaw occurs during page rendering, the impact is confined to users who visit the compromised pages; however, the presence of arbitrary script execution can be leveraged for broader attacks such as phishing or state\u2011changing requests."}}}}, "created": "2026-02-05T11:39:50.188590+00:00", "updated": "2026-04-17T23:15:30.814466+00:00", "vendors": ["drupal", "drupal$PRODUCT$at_internet_smarttag"]}