—

DRUPAL-CONTRIB-2026-054

Details

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secret communications in the context of the LLM request.

This vulnerability is mitigated by the fact that an attacker must be able to inject text into prompts to create an attack.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ai

Introduced in: 0 Fixed in: 1.2.17

Upgrade drupal/ai to 1.2.17 or newer (ecosystem packagist:https://packages.drupal.org/8).

References

https://www.drupal.org/sa-contrib-2026-054 [WEB]