Cross-Site Scripting Vulnerability in Drupal Canvas by Drupal
CVE-2026-58588

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-58588?

A Cross-Site Scripting (XSS) vulnerability exists in Drupal Canvas, which could allow attackers to manipulate web content and execute arbitrary scripts in the context of users' browsers. This issue arises from improper neutralization of user input during web page generation. Affected versions range from 0.0.0 up to 1.7.1 across various updates, creating significant security risks for deployed applications. Admins are urged to review their Drupal Canvas installations and apply necessary updates as outlined in the official documentation.

Affected Version(s)

Drupal Canvas 0.0.0 < 1.4.2

Drupal Canvas 1.5.0 < 1.5.2

Drupal Canvas 1.6.0 < 1.6.1

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Christian López Espínola (penyaskito)
AKHIL BABU (akhil babu)
Christian López Espínola (penyaskito)
Juraj Nemec (poker10)
.