Project:
Date:
2026-February-25
Vulnerability:
Cross-site scripting
Affected versions:
<2.0.2
CVE IDs:
CVE-2026-3218
Description:
This module adds the favicons generated by realfavicongenerator.net to your Drupal site.
The module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive favicons".
Solution:
Install the latest version, then confirm the permissions associated with the module are assigned to appropriate roles.
- If you use the Responsive Favicons module version 2.0.1 or lower, upgrade to Responsive Favicons 2.0.2.
- 4.x and 3.x branches are not affected by this vulnerability.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
