"Ricochet was very impressive with their knowledge, abilities and professionalism. We never ran into a technological roadblock or problem that couldn't be solved. They were able to offer new, cutting-edge solutions around every corner, and they were fantastic about staying in communication. It seemed like we were always able to get ahold of someone, whether it was Tuesday at 1am or Saturday at 7am, someone was quick to respond and help address an emergency or even a simple inquiry. Truly professional service, and quality work.
—Jacob Sowinski, Blue Canvas

Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019

Wed, 2026-02-25 10:51 — Anonymous (not verified)

Project: Responsive FaviconsDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: <2.0.2CVE IDs: CVE-2026-3218Description: This module adds the favicons generated by realfavicongenerator.net to your Drupal site.
The module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive favicons".Solution: Install the latest version, then confirm the permissions associated with the module are assigned to appropriate roles.

If you use the Responsive Favicons module version 2.0.1 or lower, upgrade to Responsive Favicons 2.0.2.
4.x and 3.x branches are not affected by this vulnerability.

Reported By:

Simon Bäse (simonbaese)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-019

Search form

Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019