Project: 
Date: 
2026-July-01
Vulnerability: 
Improper validation
Affected versions: 
<1.4.2 || >=1.5.0 <1.5.2 || >=1.6.0 <1.6.1 || >=1.7.0 <1.7.1
CVE IDs: 
CVE-2026-58588
Description: 

The Canvas module allow you to upload image files via a custom API.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Solution: 

Install the latest version:

  • If you use the 1.4.1 version of Canvas, upgrade to 1.4.2
  • If you use the 1.5.1 version of Canvas, upgrade to 1.5.2
  • If you use the 1.6.0 version of Canvas, upgrade to 1.6.1
  • If you use the 1.7.0 version of Canvas, upgrade to 1.7.1
Coordinated By: