{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3215", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:30.656Z", "datePublished": "2026-03-25T15:24:03.936Z", "dateUpdated": "2026-03-26T14:40:02.415Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:03.936Z"}, "title": "Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016", "datePublic": "2026-02-25T18:49:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Islandora", "collectionURL": "https://www.drupal.org/project/islandora", "repo": "https://git.drupalcode.org/project/islandora", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.17.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).<p>This issue affects Islandora: from 0.0.0 before 2.17.5.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-016"}], "credits": [{"lang": "en", "value": "Drew Webber (mcdruid)", "type": "finder"}, {"lang": "en", "value": "Joe Corall (joecorall)", "type": "remediation developer"}, {"lang": "en", "value": "Rosie Le Faive (rosiel)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:59:59.165020Z", "id": "CVE-2026-3215", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:40:02.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:59:59.165020Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:00:09.362Z"}}], "cna": {"title": "Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Joe Corall (joecorall)"}, {"lang": "en", "type": "remediation developer", "value": "Rosie Le Faive (rosiel)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/islandora", "vendor": "Drupal", "product": "Islandora", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.17.5", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/islandora", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:49:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-016"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).<p>This issue affects Islandora: from 0.0.0 before 2.17.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:03.936Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3215", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:40:02.415Z", "dateReserved": "2026-02-25T16:59:30.656Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:24:03.936Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:islandora:islandora:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "4C18B2C7-8D7F-4222-9209-FE3763062DD4", "versionEndExcluding": "2.17.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Drupal Islandora permite cross-site scripting (XSS). Este problema afecta a Islandora: desde 0.0.0 antes de 2.17.5."}], "id": "CVE-2026-3215", "lastModified": "2026-03-31T19:24:49.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:22.640", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-016"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.17.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Islandora", "source": "cna", "vendor": "Drupal"}, "product": "islandora", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-01T05:47:19.087641+00:00", "value": {"mitigation_remediation": ["Apply the latest Islandora patch by upgrading to version 2.17.5 or later from the official Drupal repository.", "Verify the installed version after the update to ensure the fix is in place.", "If an upgrade cannot be performed immediately, restrict access to the vulnerable input endpoints or disable file uploads that may contain malicious scripts as a temporary mitigation.", "After remediation, monitor logs for anomalous activity and confirm that no stored malicious scripts remain in the application."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Drupal Islandora versions 0.0.0 through 2.17.4 are affected. Users running these or earlier versions should consider upgrading.", "description_and_impact": "Islandora suffers an improper neutralization of user\u2011supplied input during page rendering, allowing an attacker to inject malicious scripts that will execute in a victim\u2019s browser. This Cross\u2011Site Scripting flaw can facilitate session hijacking, cookie theft, defacement, or the execution of arbitrary JavaScript in the context of a logged\u2011in user. The weakness is identified as CWE\u201179 and carries a CVSS score of 5.4, indicating moderate severity.", "risk_and_exploitability": "The CVSS score of 5.4 reflects moderate risk. EPSS is below 1\u202f%, suggesting limited exploitation activity in the wild; the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve an attacker crafting a malicious input\u2014such as a URL parameter or form field\u2014submitted to the vulnerable Islandora instance, which then fails to escape or validate the data. Because the flaw is purely client\u2011side, a remote attacker can trigger it by directing victims to a specially crafted link or by submitting malicious content that will later be rendered to other users."}}}}, "created": "2026-03-25T21:48:02.070946+00:00", "updated": "2026-04-02T07:59:11.785265+00:00", "vendors": ["drupal", "drupal$PRODUCT$islandora"]}