Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-June-03
Security risk:
Vulnerability:
Cross site scripting
Affected versions:
<9.7.1
CVE IDs:
CVE-2026-10770
Description:
This module provides spam protection using the CleanTalk cloud service.
The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.
This vulnerability is mitigated by the fact that an attacker must be able to influence the CleanTalk cloud API response (e.g., through a man-in-the-middle attack or a compromised API server).
Solution:
Install the latest version:
- If you use the Anti-Spam by CleanTalk module for Drupal upgrade to Anti-Spam by CleanTalk 9.7.1
Reported By:
- Ra Mänd (ram4nd) provisional member of the Drupal Security Team
Fixed By:
- alexandergull
- anton1211
- Ra Mänd (ram4nd) provisional member of the Drupal Security Team
Coordinated By:
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
