What the vulnerability does
01Description
Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.
Explanation of Vulnerability in Simple Terms
02Summary
Avatar Uploader contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts. An attacker can craft a malicious input that, when viewed by a site user, executes JavaScript in their browser. This requires user interaction to trigger the vulnerability. The vulnerability affects versions 7.x-1.0-beta8.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in a user's browser when they view affected content.
Potential impact on your site
04Site Impact
Site users' sessions, cookies, or credentials could be compromised if they interact with injected content.
Conditions required to exploit
05Prerequisites
User must view a page containing the attacker's malicious input; no authentication required.
Key dates
06Disclosure timeline
May 10, 2026
CVE published
May 26, 2026
Record updated