IframeConsent element allows malicious JavaScript to run

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

IframeConsent element allows malicious JavaScript to run

DRUPAL-CONTRIB-2026-032

Summary

The IframeConsent element in a certain software has a security flaw that could allow an attacker to inject malicious JavaScript code if they have the right permissions. This could potentially allow them to take control of the software or steal sensitive information. To protect against this, ensure that the necessary option is enabled and users only have the necessary permissions to create or modify content.

What to do

Update drupal drupal/orejime to version 2.0.16.

Affected software

Vendor	Product	Affected versions	Fix available
drupal	drupal/orejime	<= 2.0.16	2.0.16

Original title

The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an `<iframe-consent>` tag, they may be able to i...

Original description

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an `<iframe-consent>` tag, they may be able to insert arbitrary JavaScript.

This vulnerability is mitigated by the fact that a text format that allows `iframe-consent` HTML tags with alt attributes in the necessary option (*Enable JS Iframe consent*) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.

https://www.drupal.org/sa-contrib-2026-032 URL

Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026