DRUPAL-CONTRIB-2026-010

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json
JSON Data
https://api.test.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-010
Aliases
  • CVE-2026-2349
Published
2026-02-11T16:54:18Z
Modified
2026-02-11T19:26:27.295229Z
Summary
[none]
Details

This module enables you to integrate and manage icons with Drupal.

The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ui_icons

Package

Name
drupal/ui_icons
Purl
pkg:composer/drupal/ui_icons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1
Database specific 
{
    "constraint": "<1.0.1"
}
Type
ECOSYSTEM
Events
Introduced
1.1.0
Fixed
1.1.1
Database specific 
{
    "constraint": ">=1.1.0 <1.1.1"
}

Database specific

source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json"
affected_versions 
"<1.0.1 || >=1.1.0 <1.1.1"