What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16.
CVE-2026-6095
CVE-2026-6095: Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032
CVSS base score
—
Explanation of Vulnerability in Simple Terms
02Summary
The Orejime Drupal module contains a cross-site scripting (XSS) vulnerability in versions before 2.0.16. An attacker can inject malicious scripts that execute in users' browsers when they interact with affected pages. The vulnerability stems from insufficient input sanitization or output encoding. Update to version 2.0.16 or later to resolve this issue.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in users' browsers and steal session tokens or perform actions on their behalf.
Potential impact on your site
04Site Impact
Site visitors could have their sessions hijacked or be redirected to malicious sites when the module processes untrusted input.
Conditions required to exploit
05Prerequisites
Ability to submit input to the vulnerable component; may require user interaction depending on attack vector.
Key dates
06Disclosure timeline
May 19, 2026
CVE published
May 20, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2023-5896 Cross-site Scripting (XSS) - Stored in pkp/pkp-lib
CVE-2023-1156 SourceCodester Health Center Patient Record Management System fecalysis_form.php cross site scripting
CVE-2022-20839
CVE-2024-34795 WordPress Tainacan plugin <= 0.21.3 - Cross Site Scripting (XSS) vulnerability
CVE-2025-40891 HTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0
