VDB
KO

DRUPAL-CONTRIB-2026-066

Details

The Canvas module allow you to upload image files via a custom API.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/canvas
Introduced in: 0 Fixed in: 1.4.2

Upgrade drupal/canvas to 1.4.2 or newer (ecosystem packagist:https://packages.drupal.org/8).

References