Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

Wed, 2026-05-13 10:17 — Anonymous (not verified)

Project: Translate Drupal with GTranslateDate: 2026-May-13Security risk: Less critical 8 ∕ 25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: DOM clobbering / link manipulationAffected versions: <3.0.5CVE IDs: CVE-2026-8492Description: The GTranslate module provides a language switcher widget for Drupal sites.
The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.
This vulnerability is mitigated by the fact that an attacker must be able to add HTML with attributes that are not allowed by Drupal’s default CKEditor configuration. It is also limited to sites using the paid versions of GTranslate widget JavaScript and configurations where the generated language links use script-provided values. Solution: Install the latest version.
If you use the GTranslate module 3.0.x, upgrade to GTranslate 3.0.5.Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Edvard Ananyan (edo888)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-035

Search form

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035