Project:
Date:
2026-July-01
Security risk:
Vulnerability:
Improper validation
Affected versions:
<1.4.2 || >=1.5.0 <1.5.2 || >=1.6.0 <1.6.1 || >=1.7.0 <1.7.1
CVE IDs:
CVE-2026-58587
Description:
The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat.
These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting (XSS).
Solution:
Reported By:
Fixed By:
- Alex Bronstein (effulgentsia) of the Drupal Security Team
- Christian López Espínola (penyaskito)
Coordinated By:
- Juraj Nemec (poker10) of the Drupal Security Team