Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN237
_____________________________________________________________________

DATE                : 27/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running UI Icons for Drupal versions
                              prior to 1.0.1, 1.1.1.

=====================================================================
https://www.drupal.org/sa-contrib-2026-010
_____________________________________________________________________

UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
Project: UI Icons
Date: 2026-February-11
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross-site Scripting
Affected versions: <1.0.1 || >=1.1.0 <1.1.1
CVE IDs: CVE-2026-2349


Description: 

This module enables you to integrate and manage icons with Drupal.

The module doesn't sufficiently sanitize user input leading to a
reflected Cross-site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that in order to be
vulnerable, the "UI Icons for CKEditor 5" submodule must be
enabled.

Note: this SA was edited after release to correct the risk score;
there is no user authentication requirement.

Solution: 

Install the latest version:

    If you use the UI Icons module upgrade to UI Icons 1.0.1 or
UI Icons 1.1.1

Reported By: 

    Drew Webber (mcdruid) of the Drupal Security Team 

Fixed By: 

    Jean Valverde (mogtofu33) 

Coordinated By: 

    Greg Knaddison (greggles) of the Drupal Security Team
    Drew Webber (mcdruid) of the Drupal Security Team 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================