VDB
KO

DRUPAL-CONTRIB-2026-065

Details

The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat.

These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting (XSS).

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/canvas
Introduced in: 0 Fixed in: 1.4.2

Upgrade drupal/canvas to 1.4.2 or newer (ecosystem packagist:https://packages.drupal.org/8).

References