{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2348", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-11T15:48:44.422Z", "datePublished": "2026-03-25T15:20:53.201Z", "dateUpdated": "2026-03-26T14:32:07.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:53.201Z"}, "title": "Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009", "datePublic": "2026-02-11T16:53:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Quick Edit", "collectionURL": "https://www.drupal.org/project/quickedit", "repo": "https://git.drupalcode.org/project/quickedit", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.5", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).<p>This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-009"}], "credits": [{"lang": "en", "value": "Drew Webber (mcdruid)", "type": "finder"}, {"lang": "en", "value": "Derek Wright (dww)", "type": "remediation developer"}, {"lang": "en", "value": "Vladimir Roudakov (vladimiraus)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:03:51.458683Z", "id": "CVE-2026-2348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:32:07.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:03:51.458683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:04:01.752Z"}}], "cna": {"title": "Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Derek Wright (dww)"}, {"lang": "en", "type": "remediation developer", "value": "Vladimir Roudakov (vladimiraus)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/quickedit", "vendor": "Drupal", "product": "Quick Edit", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.5", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.1", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/quickedit", "defaultStatus": "unaffected"}], "datePublic": "2026-02-11T16:53:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-009"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).<p>This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:53.201Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2348", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:32:07.043Z", "dateReserved": "2026-02-11T15:48:44.422Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:20:53.201Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wim-leers:quick_edit:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "0112205D-A715-4F4F-A0A9-8B5D56E38132", "versionEndExcluding": "1.0.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:wim-leers:quick_edit:2.0.0:*:*:*:*:drupal:*:*", "matchCriteriaId": "D0966B64-537B-40DA-9CAE-411915832BD4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web (cross-site scripting) vulnerabilidad en Drupal Quick Edit permite cross-site scripting (XSS). Este problema afecta a Quick Edit: desde 0.0.0 antes de 1.0.5, desde 2.0.0 antes de 2.0.1."}], "id": "CVE-2026-2348", "lastModified": "2026-04-02T20:41:01.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.517", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-009"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "quick_edit", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-02T23:35:54.767550+00:00", "value": {"mitigation_remediation": ["Apply the latest Quick Edit module update (at least version\u202f1.0.5 or 2.0.1).", "If an update is not yet available, consider disabling the Quick Edit module until a patch is released."], "summary": {"action": "Patch Module", "impact": "Cross-site Scripting"}, "threat_synthesis": {"affected_systems": "The affected component is the Drupal Quick Edit module. All releases before 1.0.5, including the initial 0.0.0 launch, and all releases before 2.0.1 are vulnerable. Users of any earlier versions should verify whether they expose the module to the front\u2011end or other accessible interfaces.", "description_and_impact": "This vulnerability is an improper neutralization of user\u2011supplied input during web page generation in Drupal Quick Edit. The flaw allows malicious JavaScript to be embedded in views rendered by the module, which could execute in the browser of anyone who accesses the affected content. The weakness is formally categorized as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, while the EPSS score is reported as under 1\u202f%, suggesting low current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is exploitation via the Quick Edit interface, which requires an authenticated user with edit privileges to inject the malicious payload. Based on the description, it is inferred that the injected script can run in the context of any user who views the edited content, potentially allowing them to perform unauthorized actions in that user\u2019s browser."}}}}, "created": "2026-03-26T11:43:01.985734+00:00", "updated": "2026-04-03T09:39:04.759095+00:00", "vendors": ["drupal", "drupal$PRODUCT$quick_edit"]}