PT-2026-55223 · Drupal+1 · Drupal/Canvas

Akhil Babu

+1

·

Published

2026-07-01

·

Updated

2026-07-10

·

CVE-2026-58588

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Drupal Canvas versions 0.0.0 through 1.4.2 Drupal Canvas versions 1.5.0 through 1.5.2 Drupal Canvas versions 1.6.0 through 1.6.1 Drupal Canvas versions 1.7.0 through 1.7.1
Description An issue exists where the Canvas module allows Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. The module enables image file uploads via a custom API, but validation rules only verify the file extension and ignore the file MIME type (Multipurpose Internet Mail Extensions, a standard that indicates the nature and format of a document). This allows a malicious user to upload non-image files. Depending on the web-server configuration, these files may be served with their actual MIME type, leading to XSS or other unexpected behavior.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58588
DRUPAL-CONTRIB-2026-066

Affected Products

Drupal/Canvas