Medium severity4.7NVD Advisory· Published Mar 25, 2026· Updated Mar 31, 2026

CVE-2026-3213

Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.

Affected products

Cleantalk/Anti Spam
cpe:2.3:a:cleantalk:anti-spam:*:*:*:*:*:drupal:*:*
Range: <9.7.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.drupal.org/sa-contrib-2026-014nvdVendor Advisory

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)
Wordfence Blog · May 7, 2026
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)
Wordfence Blog · Apr 2, 2026

Severity

MediumCVSS v3.1

4.7/ 10

Attack vector: Network
Complexity: High
Privileges: None
User interaction: Required
Scope: Changed
Confidentiality: Low
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.31medium

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE ID

CVE-2026-3213

Credits

DW
Drew Webber (mcdruid)
finder
DM
Damien McKenna (damienmckenna)
coordinator
DW
Drew Webber (mcdruid)
coordinator
GK
Greg Knaddison (greggles)
coordinator
J(
Jess (xjm)
coordinator
JN
Juraj Nemec (poker10)
coordinator
DW
Drew Webber (mcdruid)
remediation developer
G
glomberg
remediation developer
S
sergefcleantalk
remediation developer