"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Wed, 2026-04-22 10:47 — Anonymous (not verified)

Project: ObfuscateDate: 2026-April-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site scriptingAffected versions: <2.0.2CVE IDs: CVE-2026-6871Description: This module enables you to obfuscate email addresses in content.
The module doesn't sufficiently sanitize user input via the Twig filter.
This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.Solution: Install the latest version:

If you use the Obfuscate module, upgrade to Obfuscate 2.0.2

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-033

Search form

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033