{"id":"DRUPAL-CONTRIB-2026-032","details":"The IframeConsent element writes HTML attributes without escaping their value.\n\nThis module has a XSS vulnerability. If an attacker is able to write an `\u003ciframe-consent\u003e` tag, they may be able to insert arbitrary JavaScript.\n\nThis vulnerability is mitigated by the fact that a text format that allows `iframe-consent` HTML tags with alt attributes in the necessary option (*Enable JS Iframe consent*) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.","aliases":["CVE-2026-6095"],"modified":"2026-04-10T16:51:06Z","published":"2026-04-08T16:09:54Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2026-032"}],"affected":[{"package":{"name":"drupal/orejime","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/orejime"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.16"}],"database_specific":{"constraint":"\u003c2.0.16"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/orejime/DRUPAL-CONTRIB-2026-032.json","affected_versions":"\u003c2.0.16"}}],"schema_version":"1.7.5","credits":[{"name":"Pierre Rudloff (prudloff)","contact":["https://www.drupal.org/u/prudloff"]}]}