{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3218", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T17:19:35.631Z", "datePublished": "2026-03-25T15:24:55.196Z", "dateUpdated": "2026-03-26T14:42:31.151Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:55.196Z"}, "title": "Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019", "datePublic": "2026-02-25T18:51:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Responsive Favicons", "collectionURL": "https://www.drupal.org/project/responsive_favicons", "repo": "https://git.drupalcode.org/project/responsive_favicons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).<p>This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-019"}], "credits": [{"lang": "en", "value": "Simon B\u00c3\u00a4se (simonbaese)", "type": "finder"}, {"lang": "en", "value": "Frank Mably (mably)", "type": "remediation developer"}, {"lang": "en", "value": "Sean Hamlin (wiifm)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:58:52.195330Z", "id": "CVE-2026-3218", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:42:31.151Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3218", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:58:52.195330Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:59:04.392Z"}}], "cna": {"title": "Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Simon B\u00c3\u00a4se (simonbaese)"}, {"lang": "en", "type": "remediation developer", "value": "Frank Mably (mably)"}, {"lang": "en", "type": "remediation developer", "value": "Sean Hamlin (wiifm)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/responsive_favicons", "vendor": "Drupal", "product": "Responsive Favicons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/responsive_favicons", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:51:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-019"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).<p>This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:55.196Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3218", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:42:31.151Z", "dateReserved": "2026-02-25T17:19:35.631Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:24:55.196Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2."}], "id": "CVE-2026-3218", "lastModified": "2026-03-26T15:16:40.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:23.050", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-019"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "responsive_favicons", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T21:54:47.098680+00:00", "value": {"mitigation_remediation": ["Upgrade the Responsive Favicons module to version 2.0.2 or later.", "Verify that the update has been applied by reviewing module versions or testing the favicon rendering.", "If an immediate upgrade is not possible, disable or uninstall the Responsive Favicons module to eliminate the vulnerable code path.", "Monitor the site for any suspicious activity or attempts to inject scripts."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting on rendered pages"}, "threat_synthesis": {"affected_systems": "Drupal sites using the Responsive Favicons contributed module on any version earlier than 2.0.2 are vulnerable. Only the Responsive Favicons module is impacted; other Drupal components are not listed as affected.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts into web pages that include Favicons. This cross\u2011site scripting can lead to session hijacking, theft of credentials, or the execution of arbitrary code in the context of the victim browser. It originates from the Responsive Favicons module, where user\u2011supplied data is not sanitized before being rendered.", "risk_and_exploitability": "The CVSS base score of 6.1 denotes a moderately high risk. No EPSS score is available, so the exact likelihood of exploitation cannot be quantified, but the absence of KEV listing suggests no confirmed widespread exploitation yet. The attack vector is most likely via publicly accessible site URLs that render the favicon, meaning an unauthenticated attacker can potentially exploit the flaw by crafting a request that triggers malicious input."}}}}, "created": "2026-03-25T21:30:59.163767+00:00", "updated": "2026-03-26T12:13:18.765409+00:00", "vendors": ["drupal", "drupal$PRODUCT$responsive_favicons"]}