Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-February-11
Vulnerability:
Cross-site Scripting
Affected versions:
<1.0.1 || >=1.1.0 <1.1.1
CVE IDs:
CVE-2026-2349
Description:
This module enables you to integrate and manage icons with Drupal.
The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.
The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.
Note: this SA was edited after release to correct the risk score; there is no user authentication requirement.
Solution:
Install the latest version:
- If you use the UI Icons module upgrade to UI Icons 1.0.1 or UI Icons 1.1.1
Reported By:
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
