CVE-2026-8493

Vulnerability

An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability exists in the Drupal Colorbox Inline module versions before 2.1.1. The module, which enables opening existing page content inside a Colorbox, does not sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery. This flaw allows an attacker to inject arbitrary HTML and JavaScript into pages rendered via the module [1].

Exploitation

An attacker must have a role with permission to enter HTML tags that contain specific data attributes (such as data-colorbox-inline). The attacker can craft a malicious HTML payload within this attribute; when the page is loaded and the Colorbox processes the attribute, the unsanitized input is executed by jQuery, leading to stored or reflected XSS [1].

Impact

Successful exploitation permits the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in data theft, session hijacking, or defacement of the affected Drupal site. The scope of compromise is limited to the browser of a user who views a page containing the crafted attribute [1].

Mitigation

Users should upgrade to Colorbox Inline version 2.1.1, which contains the necessary sanitization fix. No workaround is provided for unsupported versions. There is no indication that this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog [1].