CVE-2026-2349 PUBLISHED

UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

Assigner: drupal
Reserved: 11.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.

Product Status

Vendor	Drupal
Product	UI Icons
Versions	Default: unaffected affected from 0.0.0 to 1.0.1 (excl.) affected from 1.1.0 to 1.1.1 (excl.)

Credits

Drew Webber (mcdruid) finder
Jean Valverde (mogtofu33) remediation developer
Greg Knaddison (greggles) coordinator
Drew Webber (mcdruid) coordinator

References

https://www.drupal.org/sa-contrib-2026-010

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)