CVE-2026-10770

描述

This module provides spam protection using the CleanTalk cloud service. The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The `_cleantalk_die()` and `ct_die()` functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript. This vulnerability is mitigated by the fact that an attacker must be able to influence the CleanTalk cloud API response (e.g., through a man-in-the-middle attack or a compromised API server).

受影響套件(1)

• Packagist/drupal/cleantalkfrom 0, < 9.7.1

參考連結(1)

• WEBhttps://www.drupal.org/sa-contrib-2026-042