Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032

Wed, 2026-04-08 09:09 — Anonymous (not verified)

Project: OrejimeDate: 2026-April-08Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <2.0.16Description: The IframeConsent element writes HTML attributes without escaping their value.
This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.
This vulnerability is mitigated by the fact that a text format that allows iframe-consent HTML tags with alt attributes in the necessary option (Enable JS Iframe consent) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.Solution: Install the latest version:

If you use the 2.x branch of Orejime, upgrade to Orejime 2.0.16.

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Fabien Gutknecht (fabsgugu)
Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By:

Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-032

Search form

Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032