Intel

AIKIDO-2026-305028

drupal/ai is vulnerable to Cross-site Scripting (XSS)

Cross-site Scripting (XSS)CVE-2026-13234 Published Jun 25, 2026

50

Medium Risk

This Affects:

PHPdrupal/ai
0.0.1 - 1.2.16
Fixed in 1.2.17
1.3.0 - 1.3.7
Fixed in 1.3.8
1.4.0 - 1.4.2
Fixed in 1.4.3
Are you affected? Scan for Free

TL;DR

The Drupal AI module and several submodules (AI Automators, AI Translate, AI API Explorer, and AI Content Suggestions) are vulnerable to cross-site scripting and potential disclosure of sensitive LLM communications when rendering generated HTML or Markdown. This issue only affects sites where an attacker can inject input into LLM prompts.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/ai is vulnerable to Cross-site Scripting (XSS) in versions 0.0.1 - 1.2.16, 1.3.0 - 1.3.7 and 1.4.0 - 1.4.2.

How to fix this

Upgrade the drupal/ai library to the patch version.