Project: 
Date: 
2026-April-08
Vulnerability: 
Cross-site scripting
Affected versions: 
<2.0.16
CVE IDs: 
CVE-2026-6095
Description: 

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.

This vulnerability is mitigated by the fact that a text format that allows iframe-consent HTML tags with alt attributes in the necessary option (Enable JS Iframe consent) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: