Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Project:

Colorbox Inline

Date:

2026-May-13

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross-site scripting

Affected versions:

<2.1.1

CVE IDs:

CVE-2026-8493

Description:

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution:

Install the latest version:

If you use the Colorbox Inline module for Drupal 8.x, upgrade to Colorbox Inline 2.1.1

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Michael Harris (miwayha)

Coordinated By:

Bram Driesen (bramdriesen) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team

Contribution record

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community