Intel

AIKIDO-2026-428354

drupal/canvas is vulnerable to Unrestricted Upload of File with Dangerous Type

Unrestricted Upload of File with Dangerous TypeCVE-2026-58588 Published Jul 2, 2026

42

Medium Risk

This Affects:

PHPdrupal/canvas
0.0.1 - 1.4.1
Fixed in 1.4.2
1.5.0 - 1.5.1
Fixed in 1.5.2
1.6.0 - 1.6.0
Fixed in 1.6.1
1.7.0 - 1.7.0
Fixed in 1.7.1
Are you affected? Scan for Free

TL;DR

The Canvas module allows image uploads via a custom API but only validates file extensions, not MIME types. A malicious user may upload non-image files disguised with image extensions. Depending on web server configuration, those files may be served with their actual MIME type rather than an image type, which could lead to cross-site scripting (XSS) or other unexpected behavior.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/canvas is vulnerable to Unrestricted Upload of File with Dangerous Type in versions 0.0.1 - 1.4.1, 1.5.0 - 1.5.1, 1.6.0 - 1.6.0 and 1.7.0 - 1.7.0.

How to fix this

Upgrade the drupal/canvas library to the patch version.