Drupal · Gtranslate · CVE-2026-8492
**Name of the Vulnerable Software and Affected Versions**
Translate Drupal with GTranslate versions 0.0.0 through 3.0.4
**Description**
A Modification of Assumed-Immutable Data (MAID) issue in the GTranslate module allows Resource Location Spoofing. The module's widget JavaScript fails to sufficiently validate that `document.currentScript` refers to the executing script element. This allows a user capable of adding HTML to a page to cause the generated language-switcher links to point to an unintended domain. This issue is limited to sites using paid versions of the GTranslate widget JavaScript and configurations where generated language links use script-provided values. Exploitation requires the ability to add HTML with attributes not permitted by the default Drupal CKEditor configuration.
**Recommendations**
Update to version 3.0.5.