Project: 
Date: 
2026-July-01
Vulnerability: 
Improper validation
Affected versions: 
<1.4.2 || >=1.5.0 <1.5.2 || >=1.6.0 <1.6.1 || >=1.7.0 <1.7.1
CVE IDs: 
CVE-2026-58587
Description: 

The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat.

These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting (XSS).

Solution: 

Install the latest version:

  • If you use the 1.4.1 version of Canvas, upgrade to 1.4.2
  • If you use the 1.5.1 version of Canvas, upgrade to 1.5.2
  • If you use the 1.6.0 version of Canvas, upgrade to 1.6.1
  • If you use the 1.7.0 version of Canvas, upgrade to 1.7.1
Reported By: 
Coordinated By: