Drupal · Obfuscate · CVE-2026-6871
**Name of the Vulnerable Software and Affected Versions**
Obfuscate versions 0.0.0 through 2.0.1
**Description**
Improper neutralization of input during web page generation allows Cross-Site Scripting (XSS). The module, which obfuscates email addresses in content, fails to sufficiently sanitize user input via the Twig filter. This issue specifically affects sites utilizing ROT13 encoding (a simple substitution cipher that replaces a letter with the 13th letter after it in the alphabet) in scenarios where an attacker can provide content filtered by the module's Twig filter.
**Recommendations**
Update to version 2.0.2.