Drupal Obfuscate XSS Vulnerability, CVSS 4.6 Medium, 22nd Apr
Summary
CERT-Bund issued advisory WID-SEC-2026-1248 disclosing a Cross-Site Scripting (XSS) vulnerability in the Drupal 'Obfuscate' module versions prior to 2.0.2. The vulnerability carries a CVSS Base Score of 4.6 (Medium) and a CVSS Temporal Score of 4.0 (Medium), with remote exploitation confirmed. The advisory affects installations running on UNIX, Windows, and other operating systems. A mitigation measure is available.
“Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.”
About this source
CERT-Bund is the German federal cybersecurity agency's incident response team, run by the BSI. Their advisory feed publishes vulnerability disclosures and active exploitation warnings for software in widespread enterprise use: VPN appliances, email servers, file transfer products, ERP systems, browsers, hypervisors. Around 280 advisories a month, each with a CVSS score, affected versions, and remediation guidance. The advisories are written in German but cover the same vulnerabilities that show up in CISA, NCSC-UK, and JPCERT bulletins, often hours earlier. Watch this if you patch enterprise software, run a SOC, or write detection rules. GovPing publishes each advisory with the affected vendor, CVSS score, and original CERT-Bund link.
What changed
CERT-Bund published a security advisory describing an XSS vulnerability in the Drupal 'Obfuscate' module (version <2.0.2) affecting websites running on UNIX, Windows, and other operating systems. The vulnerability has a CVSS Base Score of 4.6 (Medium) and a CVSS Temporal Score of 4.0 (Medium); remote exploitation is confirmed. Organizations running the affected module should apply the available mitigation and update to version 2.0.2 or later to remediate the risk of client-side script injection via the vulnerability.
Website operators and Drupal administrators using the Obfuscate module should audit their installations, identify the installed version, and apply the vendor-recommended patch or upgrade path. The advisory does not specify a compliance deadline; however, given the confirmed remote exploitation vector and CVSS score, priority application of mitigations is warranted.
Archived snapshot
Apr 23, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-1248] Drupal (Obfuscate): Schwachstelle ermöglicht Cross-Site Scripting CVSS Base Score 4.6 (mittel) CVSS Temporal Score 4.0 (mittel) Remoteangriff ja Datum 22.04.2026 Stand 23.04.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Sonstiges
- UNIX
- Windows
Produktbeschreibung
Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.
Produkte
22.04.2026
- Open Source Drupal Obfuscate <2.0.2
Angriff
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.