CVE-2026-1554

Name of the Vulnerable Software and Affected Versions Drupal Central Authentication System (CAS) Server versions prior to 2.0.3 Drupal Central Authentication System (CAS) Server versions 2.1.0 through 2.1.1

Description The Central Authentication System (CAS) Server module for Drupal does not adequately sanitize user-provided field values when configured as attributes in a CAS server response, leading to an XML Element Injection issue. An attacker must be authenticated and have the ability to input XML into a user entity field that is configured as a CAS Attribute source to exploit this.

Recommendations Update Drupal Central Authentication System (CAS) Server to version 2.0.3 or later. Update Drupal Central Authentication System (CAS) Server to version 2.1.2 or later.