CVE-2026-6095

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Drupal Orejime module versions before 2.0.16. The IframeConsent element writes HTML attributes without escaping their value, allowing injection of arbitrary JavaScript. The vulnerable code path is reachable when a text format that permits iframe-consent HTML tags with alt attributes is enabled, and an attacker has a role allowing creation or modification of content in a field using that text format [1].

Exploitation

An attacker must have a role that grants permission to create or edit content in a field whose text format allows iframe-consent tags with alt attributes. The attacker then inserts a crafted ` tag containing malicious JavaScript in the alt` attribute or other attribute values. When the content is rendered, the unsanitized attribute value is written into the DOM, causing the attacker's script to execute in the context of the victim's browser [1].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the browser of any user viewing the affected content. Depending on the victim's privileges, the attacker may be able to perform actions such as stealing session cookies, modifying page content, or performing administrative actions on behalf of the victim [1].

Mitigation

Upgrade to Orejime 2.0.16 or later, which contains the fix for this vulnerability [1]. As a workaround, administrators can restrict content editing roles or disable the text format that allows iframe-consent tags until the upgrade is applied. No other workarounds are documented in the available references [1].