SA-CONTRIB-2026-016: Islandora Arbitrary File Upload + XSS — A Dangerous Chain
Source: Dev.to
Overview
SA‑CONTRIB‑2026‑016 combines two dangerous vulnerability classes in one module path: arbitrary file upload and cross‑site scripting (XSS). An attacker can upload a malicious payload through the Islandora repository interface and have it executed in a privileged browser session. This is a practical attack chain, not a theoretical one.
Vulnerability Details
| SA ID | CVE | Severity | Affected Versions | Patched Version |
|---|---|---|---|---|
| SA‑CONTRIB‑2026‑016 | CVE‑2026‑3215 | Moderately Critical | < 2.17.5 | 2.17.5 |
Attack flow (Mermaid diagram)
flowchart TD
A[Attacker uploads crafted file with malicious payload] --> B{Upload validation in place?}
B -- No — vulnerable version --> C[File stored without sanitization]
C --> D[Privileged user views repository item]
D --> E[XSS payload executes in admin session]
E --> F[Session hijacking / token theft]
B -- Yes — patched version --> G[Upload rejected or sanitized]“A validation and output handling gap across upload and render paths creates conditions where attacker‑controlled files or payloads can be stored and later executed in browser contexts.”
— Drupal Security Team, SA‑CONTRIB‑2026‑016
Mitigation
Fast version check
# Show the installed version of Islandora
composer show drupal/islandoraUpgrade
# Upgrade to the fixed version
composer require drupal/islandora:^2.17.5
# Clear caches
drush crReview upload permissions
# List permissions related to Islandora uploads
drush role:perm | grep -Ei "islandora|media|upload"Post‑upgrade verification
- Test legitimate uploads still work in Islandora ingest paths.
- Confirm uploaded content cannot execute scripts in rendered output.
Full Advisory Details
- Project: Islandora (
drupal/islandora) - Advisory: SA‑CONTRIB‑2026‑016
- CVE: CVE‑2026‑3215
- Published: 2026‑02‑25
- Risk: Moderately critical
- Type: Arbitrary file upload, Cross‑site scripting (XSS)
- Affected versions: < 2.17.5
- Fixed version: 2.17.5
Relevance to Other Platforms
The arbitrary file upload chained with XSS is a common pattern across CMS platforms. WordPress plugins that handle media uploads, form file attachments, or custom post‑type imports face the same risk: if uploaded file content is rendered without sanitization, stored XSS becomes trivial. WordPress developers should:
- Validate file extensions, MIME types, and content at upload time using
wp_check_filetype_and_ext(). - Ensure rendered output from uploaded files is properly escaped.
Drupal’s Islandora advisory serves as a case study applicable to any CMS handling user‑supplied files. If your site runs Islandora below 2.17.5, treat this as urgent patch work: upgrade first, then validate upload and rendering paths under real editorial workflows. The upload + XSS combination can turn a content‑management issue into a full account compromise.