Drupal Next.js Permissive Cross-Domain Security Policy Vulnerability Allowing Cross-Site Scripting

Vulnerability

A vulnerability in Drupal Next.js versions prior to 1.6.4 and 2.0.0 through 2.0.1 allows for Cross-Site Scripting (XSS) attacks due to a permissive cross-domain security policy that trusts untrusted domains.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks.

Added: Jan 28, 2026, 8:37 PM

Updated: Jan 28, 2026, 8:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Drupal Next.js Permissive Cross-Domain Security Policy Vulnerability Allowing Cross-Site Scripting

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating