What the vulnerability does
01Description
XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
Explanation of Vulnerability in Simple Terms
02Summary
A vulnerability exists in the Drupal CAS Server module affecting versions before 2.0.3. The specific attack vector and impact cannot be fully determined due to incomplete CVSS and CWE data. Site administrators should update to version 2.0.3 or later immediately. Contact the module maintainer for detailed technical information.
What an attacker can do
03Attacker Capabilities
Unknown due to missing CVSS vector data.
Potential impact on your site
04Site Impact
Sites running CAS Server module < 2.0.3 may be at risk; update to 2.0.3 or later.
Conditions required to exploit
05Prerequisites
Unknown due to missing CVSS vector data.
Key dates
06Disclosure timeline
February 4, 2026
CVE published
February 5, 2026
Record updated