CVE-2026-58587
Description
The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat. These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting (XSS).
How to fix CVE-2026-58587
To remediate CVE-2026-58587, upgrade the affected package to a fixed version below.
- Packagist/drupal/canvas—upgrade to 1.4.2 or later
Is CVE-2026-58587 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-58587.
Affected packages (1)
- from 0, < 1.4.2 | >= 1.5.0, < 1.5.2 | >= 1.6.0, < 1.6.1 | >= 1.7.0, < 1.7.1