Date: 
2026-June-24
Vulnerability: 
Information Disclosure / Cross-site Scripting
Affected versions: 
<1.2.17 || >=1.3.0 <1.3.8 || >=1.4.0 <1.4.3
CVE IDs: 
CVE-2026-13234
Description: 

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secret communications in the context of the LLM request.

This vulnerability is mitigated by the fact that an attacker must be able to inject text into prompts to create an attack.

Solution: 

Install the latest version:

  • If you use the AI module 1.2.16, upgrade to AI 1.2.17
  • If you use the AI module 1.3.7 upgrade to AI 1.3.8
  • If you use the AI module 1.4.2 upgrade to AI 1.4.3
Reported By: 
Coordinated By: