Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

UI Icons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-010

Wed, 2026-02-11 08:54 — Anonymous (not verified)

Project: UI IconsDate: 2026-February-11Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.1 || >=1.1.0 <1.1.1CVE IDs: CVE-2026-2349Description: This module enables you to integrate and manage icons with Drupal.
The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.
The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.Solution: Install the latest version:

If you use the UI Icons module upgrade to UI Icons 1.0.1 or UI Icons 1.1.1

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Jean Valverde (mogtofu33)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-010

Search form

UI Icons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-010