{"id":"DRUPAL-CONTRIB-2026-016","details":"This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.\n\nThe module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"create media\" and the ability to edit the node the media is being attached to.","aliases":["CVE-2026-3215"],"modified":"2026-02-25T19:56:23.967861Z","published":"2026-02-25T18:49:59Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2026-016"}],"affected":[{"package":{"name":"drupal/islandora","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/islandora"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.17.5"}],"database_specific":{"constraint":"\u003c2.17.5"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/islandora/DRUPAL-CONTRIB-2026-016.json","affected_versions":"\u003c2.17.5"}}],"schema_version":"1.7.3","credits":[{"name":"Drew Webber (mcdruid)","contact":["https://www.drupal.org/u/mcdruid"]}]}