Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-January-14
Vulnerability:
Cross-site Scripting
Affected versions:
<1.0.1 || >=2.0.0 <2.3.1
CVE IDs:
CVE-2026-0947
Description:
This module integrates the AT Internet Piano Analytics service.
The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pianoanalytics".
Solution:
Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.
- If you use the AT Internet Piano Analytics module for Drupal 10+, upgrade to AT Internet Piano Analytics 2.3.1
- If you use the AT Internet Piano Analytics module for Drupal 9, upgrade to AT Internet Piano Analytics 1.0.1
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
