CVE-2026-1554

CVE-2026-1554: Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

Vendor Drupal
Product Central Authentication System (CAS) Server
Weakness CWE-91 · XML injection
Published February 4, 2026
Last update February 5, 2026

CVSS base score

What the vulnerability does

01Description

XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.

Explanation of Vulnerability in Simple Terms

02Summary

A vulnerability exists in the Drupal CAS Server module affecting versions before 2.0.3. The specific attack vector and impact cannot be fully determined due to incomplete CVSS and CWE data. Site administrators should update to version 2.0.3 or later immediately. Contact the module maintainer for detailed technical information.

What an attacker can do

03Attacker Capabilities

Unknown due to missing CVSS vector data.

Potential impact on your site

04Site Impact

Sites running CAS Server module < 2.0.3 may be at risk; update to 2.0.3 or later.

Conditions required to exploit

05Prerequisites

Unknown due to missing CVSS vector data.

Key dates

06Disclosure timeline

February 4, 2026 CVE published
February 5, 2026 Record updated