CVE-2026-8492
Description
Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.
This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-severity MAID vulnerability in Drupal's GTranslate module allows DOM clobbering to spoof language-switcher links, requiring HTML addition privileges.
Vulnerability
The Modification of Assumed-Immutable Data (MAID) vulnerability resides in the GTranslate module for Drupal, affecting versions from 0.0.0 before 3.0.5. The module's widget JavaScript failed to properly validate that document.currentScript referred to the executing script element, enabling DOM clobbering and link manipulation attacks [1].
Exploitation
An attacker must have the ability to add HTML to a page, which is restricted by Drupal's default CKEditor configuration and typically requires a privileged role. The attacker can inject crafted HTML attributes to manipulate the language-switcher links, causing them to point to an unintended domain [1].
Impact
Successful exploitation results in Resource Location Spoofing, where generated language links can lead users to a malicious domain. This can be used for phishing or redirecting users to attacker-controlled sites, with a CVSS v3 score of 2.7 (Low) due to the required privileges and limited scope [1].
Mitigation
Upgrade to GTranslate 3.0.5, released as a fix for this vulnerability. No workaround is documented for unpatched versions [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <3.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.