CVE-2026-6871

Vulnerability

The vulnerability is a Cross-Site Scripting (XSS) flaw in the Drupal Obfuscate module versions from 0.0.0 before 2.0.2. The module is used to obfuscate email addresses in content, but it does not sufficiently sanitize user input when processing it via the Twig filter. This issue specifically affects sites that are configured to use ROT13 encoding [1].

Exploitation

An attacker must be able to supply content that is subsequently processed by the Obfuscate module's Twig filter. The attack is only exploitable when the site uses the ROT13 encoding method. No other authentication or network position is explicitly required beyond the ability to input content (e.g., through comments or custom fields) that passes through the vulnerable filter [1].

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript into a web page processed by the module. This can lead to cookie theft, session hijacking, defacement, or other client-side attacks within the security context of the affected user's browser, compromising the confidentiality and integrity of the user's session [1].

Mitigation

The vulnerability is fixed in version 2.0.2 of the Obfuscate module. Users should upgrade to this version immediately. No workarounds are documented in the available reference for sites that cannot upgrade [1].