CVE-2026-8493

CVE-2026-8493: Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Vendor Drupal
Product Colorbox Inline
Weakness CWE-79 · XSS
Published May 19, 2026
Last update May 20, 2026

CVSS base score

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Colorbox Inline module for Drupal contains a cross-site scripting (XSS) vulnerability in versions before 2.1.1. An attacker can inject malicious scripts that execute in the browsers of site visitors. The vulnerability exists in how the module processes user-supplied input without proper sanitization. Site administrators should update to version 2.1.1 or later immediately.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in visitors' browsers and steals session cookies or credentials.

Potential impact on your site

04Site Impact

Visitors' accounts and data are at risk if they click attacker-controlled links or visit compromised pages.

Conditions required to exploit

05Prerequisites

No authentication required; typically requires the attacker to craft a malicious link or page that a site visitor clicks.

Key dates

06Disclosure timeline

May 19, 2026 CVE published
May 20, 2026 Record updated