Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Project:

Obfuscate

Date:

2026-April-22

Security risk:

Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Cross-site scripting

Affected versions:

<2.0.2

CVE IDs:

CVE-2026-6871

Description:

This module enables you to obfuscate email addresses in content.

The module doesn't sufficiently sanitize user input via the Twig filter.

This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.

Solution:

Install the latest version:

If you use the Obfuscate module, upgrade to Obfuscate 2.0.2

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community