CVE-2026-2348 PUBLISHED

Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009

Assigner: drupal
Reserved: 11.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.

Product Status

Vendor	Drupal
Product	Quick Edit
Versions	Default: unaffected affected from 0.0.0 to 1.0.5 (excl.) affected from 2.0.0 to 2.0.1 (excl.)

Credits

Drew Webber (mcdruid) finder
Derek Wright (dww) remediation developer
Vladimir Roudakov (vladimiraus) remediation developer
Greg Knaddison (greggles) coordinator
Drew Webber (mcdruid) coordinator

References

https://www.drupal.org/sa-contrib-2026-009

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)