PT-2026-55081 · Packagist · Drupal/Canvas
Published
2026-07-01
·
Updated
2026-07-01
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Canvas module allow you to upload image files via a custom API.
The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.
Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Drupal/Canvas