Cross-Site Scripting Vulnerability in Drupal Obfuscate
CVE-2026-6871

6.1MEDIUM

Key Information:

Vendor: Drupal
Status: Obfuscate
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-6871?

The Obfuscate module in Drupal has a vulnerability that allows for the injection of malicious scripts into web pages, enabling attackers to execute cross-site scripting (XSS) attacks. This can lead to the compromise of user data and the exploitation of user sessions. The issue affects all versions up to 2.0.2, making it crucial for website administrators to update their installations to mitigate risks associated with this functionality.

Affected Version(s)

Obfuscate 0.0.0 < 2.0.2

References

https://www.drupal.org/sa-contrib-2026-033

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Pierre Rudloff (prudloff)

Christophe Jossart (colorfield)

Nigel Cunningham (nigelcunningham)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

Pierre Rudloff (prudloff)

CVE-2026-6871 Data

JSON