Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Wed, 2026-05-13 10:18 — Anonymous (not verified)

Project: Colorbox InlineDate: 2026-May-13Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <2.1.1CVE IDs: CVE-2026-8493Description: This module enables you to open content already on the page within a colorbox.
The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.Solution: Install the latest version:

If you use the Colorbox Inline module for Drupal 8.x, upgrade to Colorbox Inline 2.1.1

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Michael Harris (miwayha)

Coordinated By:

Bram Driesen (bramdriesen) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-036

Search form

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036