CVE-2026-10770

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The cleantalk die() and ct die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

This vulnerability is mitigated by the fact that an attacker must be able to influence the CleanTalk cloud API response (e.g., through a man-in-the-middle attack or a compromised API server).