CVE-2026-8492

Name of the Vulnerable Software and Affected Versions Translate Drupal with GTranslate versions 0.0.0 through 3.0.4

Description A Modification of Assumed-Immutable Data (MAID) issue in the GTranslate module allows Resource Location Spoofing. The module's widget JavaScript fails to sufficiently validate that document.currentScript refers to the executing script element. This allows a user capable of adding HTML to a page to cause the generated language-switcher links to point to an unintended domain. This issue is limited to sites using paid versions of the GTranslate widget JavaScript and configurations where generated language links use script-provided values. Exploitation requires the ability to add HTML with attributes not permitted by the default Drupal CKEditor configuration.

Recommendations Update to version 3.0.5.