"It has been a pleasure to work with Casey, Rick and Phil from Ricochet. We were initially faced with a dip in productivity on our project due to some team member's contributing to DrupalCon Munich. Casey and team were able to step in, ramp up, and start contributing to solutions immediately. When our team members returned from Munich, we decided the Ricochet guys were too valuable and helpful to let go, so we have kept them on as members of the team until launch.
—Suzy Bates, Four Kitchens

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Wed, 2026-04-22 10:47 — Anonymous (not verified)

Project: ObfuscateDate: 2026-April-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site scriptingAffected versions: <2.0.2CVE IDs: CVE-2026-6871Description: This module enables you to obfuscate email addresses in content.
The module doesn't sufficiently sanitize user input via the Twig filter.
This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.Solution: Install the latest version:

If you use the Obfuscate module, upgrade to Obfuscate 2.0.2

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-033

Search form

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033