{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1554", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-28T17:01:09.595Z", "datePublished": "2026-02-04T20:26:38.850Z", "dateUpdated": "2026-02-05T15:15:29.323Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/cas_server", "defaultStatus": "unaffected", "product": "Central Authentication System (CAS) Server", "repo": "https://git.drupalcode.org/project/cas_server", "vendor": "Drupal", "versions": [{"lessThan": "2.0.3", "status": "affected", "version": "0.0.0", "versionType": "semver"}, {"lessThan": "2.1.2", "status": "affected", "version": "2.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"}, {"lang": "en", "type": "remediation developer", "value": "Ted Cooper (elc)"}, {"lang": "en", "type": "remediation developer", "value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"}, {"lang": "en", "type": "remediation developer", "value": "Jaap Jansma (jaapjansma)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "datePublic": "2026-01-28T17:29:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.<p>This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.</p>"}], "value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-91", "description": "CWE-91 XML Injection (aka Blind XPath Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:26:38.850Z"}, "references": [{"url": "https://www.drupal.org/sa-contrib-2026-007"}], "source": {"discovery": "UNKNOWN"}, "title": "Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T15:14:46.442485Z", "id": "CVE-2026-1554", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:15:29.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1554", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T15:14:46.442485Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T15:12:53.540Z"}}], "cna": {"title": "Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"}, {"lang": "en", "type": "remediation developer", "value": "Ted Cooper (elc)"}, {"lang": "en", "type": "remediation developer", "value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"}, {"lang": "en", "type": "remediation developer", "value": "Jaap Jansma (jaapjansma)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/cas_server", "vendor": "Drupal", "product": "Central Authentication System (CAS) Server", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.3", "versionType": "semver"}, {"status": "affected", "version": "2.1.0", "lessThan": "2.1.2", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/cas_server", "defaultStatus": "unaffected"}], "datePublic": "2026-01-28T17:29:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-007"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.", "supportingMedia": [{"type": "text/html", "value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.<p>This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-91", "description": "CWE-91 XML Injection (aka Blind XPath Injection)"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:26:38.850Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1554", "state": "PUBLISHED", "dateUpdated": "2026-02-05T15:15:29.323Z", "dateReserved": "2026-01-28T17:01:09.595Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-02-04T20:26:38.850Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jtenman:central_authentication_system_server:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "667508E4-C557-47F0-8038-58B3CAF1851E", "versionEndExcluding": "2.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jtenman:central_authentication_system_server:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "1925AABB-E45D-40EC-9357-07091200BF4B", "versionEndExcluding": "2.1.2", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2."}], "id": "CVE-2026-1554", "lastModified": "2026-02-11T19:18:19.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-04T21:15:59.427", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-007"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-91"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:13:47.527840+00:00", "value": {"mitigation_remediation": ["Upgrade the Central Authentication System (CAS) Server to version 2.0.3 or later, or to 2.1.2 or later, if available from the vendor.", "If an upgrade is not immediately possible, enforce strict validation of all XML inputs or disable XML input handling for untrusted sources to prevent injection.", "Implement audit logging and monitoring for privilege changes, and ensure the principle of least privilege is applied to all CAS server accounts to limit damage if escalation occurs."], "summary": {"action": "Assess Impact", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts Drupal Central Authentication System (CAS) Server versions prior to 2.0.3 (including 0.0.0 up to 2.0.2) and prior to 2.1.2 (including 2.1.0 and 2.1.1). Systems running any of those releases should be considered at risk.", "description_and_impact": "Drupal's Central Authentication System (CAS) Server contains an XML Injection vulnerability, also known as Blind XPath Injection. The flaw allows a malicious actor to inject crafted XML elements that are interpreted by the server\u2019s XML processing engine. By manipulating the XML payload, an attacker can gain elevated privileges within the CAS system, potentially accessing or modifying data reserved for higher\u2011privileged users.", "risk_and_exploitability": "The CVSS v3.1 score is 4.2, indicating low to moderate impact. The EPSS is below 1%, suggesting a very low probability of exploitation in current real\u2011world activity, and the flaw is not listed in the CISA KEV catalog. Likely the attack requires authenticated access to the CAS server\u2019s XML endpoints, or an attacker that can inject XML payloads into the system. Without further data the exact vector is not specified, so we infer that exploitation would involve sending malicious XML to a vulnerable endpoint and that privileged escalation would result from re\u2011interpreting that XML as higher\u2011privileged requests."}}}}, "created": "2026-02-05T11:39:55.227367+00:00", "updated": "2026-04-17T23:15:30.812700+00:00", "vendors": ["drupal", "drupal$PRODUCT$central_authentication_system_(cas)_server"]}