CVE-2026-58588
Description
The Canvas module allow you to upload image files via a custom API. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.
How to fix CVE-2026-58588
To remediate CVE-2026-58588, upgrade the affected package to a fixed version below.
- Packagist/drupal/canvas—upgrade to 1.4.2 or later
Is CVE-2026-58588 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-58588.
Affected packages (1)
- from 0, < 1.4.2 | >= 1.5.0, < 1.5.2 | >= 1.6.0, < 1.6.1 | >= 1.7.0, < 1.7.1