Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-February-25
Security risk:
Vulnerability:
Cross-site scripting
Affected versions:
<9.7.0
CVE IDs:
CVE-2026-3213
Description:
This module enables you to block bots by Firewall.
The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or blocked by the firewall.
Solution:
Install the latest version:
- If you use the Anti-Spam by CleanTalk module for Drupal, upgrade to Anti-Spam by CleanTalk 9.7.0.
Reported By:
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed By:
- glomberg
- Drew Webber (mcdruid) of the Drupal Security Team
- sergefcleantalk
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
