Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016
Project: Islandora Date: 2026-February-25Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Arbitrary file upload, Cross-site scriptingAffected versions: <2.17.5CVE IDs: CVE-2026-3215Description: This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.
The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create media" and the ability to edit the node the media is being attached to.Solution: Install the latest version:
- If you use the Islandora module, upgrade to Islandora 2.17.5.
Reported By:
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed By:
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
