PT-2026-55223 · Drupal+1 · Drupal/Canvas
Akhil Babu
+1
·
Published
2026-07-01
·
Updated
2026-07-10
·
CVE-2026-58588
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Drupal Canvas versions 0.0.0 through 1.4.2
Drupal Canvas versions 1.5.0 through 1.5.2
Drupal Canvas versions 1.6.0 through 1.6.1
Drupal Canvas versions 1.7.0 through 1.7.1
Description
An issue exists where the Canvas module allows Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. The module enables image file uploads via a custom API, but validation rules only verify the file extension and ignore the file MIME type (Multipurpose Internet Mail Extensions, a standard that indicates the nature and format of a document). This allows a malicious user to upload non-image files. Depending on the web-server configuration, these files may be served with their actual MIME type, leading to XSS or other unexpected behavior.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drupal/Canvas