Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Product status
1.5.0 (semver) before 1.5.2
1.6.0 (semver) before 1.6.1
1.7.0 (semver) before 1.7.1
Credits
AKHIL BABU (akhil babu)
Alex Bronstein (effulgentsia)
Christian López EspÃnola (penyaskito)
Juraj Nemec (poker10)
References
www.drupal.org/sa-contrib-2026-065