Intel

AIKIDO-2026-662187

drupal/colorbox is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)CVE-2026-58591 Published Jul 2, 2026

42

Medium Risk

This Affects:

PHPdrupal/colorbox
0.0.0 - 2.1.4
Fixed in 2.1.5
2.2.0 - 2.2.0
Fixed in 2.2.1
Are you affected? Scan for Free

TL;DR

The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page. The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios. This vulnerability is mitigated by the fact that an attacker must have a role that permits them to enter HTML content.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/colorbox is vulnerable to Cross-Site Scripting (XSS) in versions 0.0.0 - 2.1.4 and 2.2.0 - 2.2.0.

How to fix this

Upgrade the drupal/colorbox library to the patch version.