CVE-2026-3215 identifies a Cross-Site Scripting (XSS) vulnerability in the Drupal Islandora module, a digital asset management framework built on Drupal. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows attackers to inject malicious scripts into web pages viewed by other users. The affected versions include all Islandora releases before 2.17.5. Because the vulnerability occurs during page rendering, an attacker can craft specially crafted input that, when processed by the vulnerable Islandora instance, results in execution of arbitrary JavaScript in the context of the victim’s browser. This can lead to theft of session cookies, user impersonation, or redirection to malicious sites. No CVSS score has been assigned yet, and no public exploits are currently known. The vulnerability was reserved in February 2026 and published in March 2026. The lack of authentication or user interaction requirements increases the risk profile. Islandora is widely used by academic, cultural, and governmental institutions for managing digital content, making this vulnerability particularly relevant to organizations managing sensitive or public-facing digital archives. The absence of a patch link indicates that a fix may still be pending or in development.

The impact of CVE-2026-3215 can be significant for organizations using Drupal Islandora, especially those managing sensitive digital collections or user data. Successful exploitation can compromise confidentiality by exposing session tokens and personal information, enabling attackers to impersonate legitimate users. Integrity may be affected if attackers inject malicious content or deface web pages. Availability impact is generally low but could occur if attackers leverage XSS to conduct further attacks such as phishing or malware distribution, potentially leading to reputational damage and loss of user trust. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale, increasing the potential attack surface. Institutions in academia, government, and cultural heritage sectors that rely on Islandora for public access to digital assets are at heightened risk. The lack of known exploits suggests a window of opportunity for defenders to patch and mitigate before widespread abuse occurs.

Organizations should immediately inventory their use of Drupal Islandora and identify affected versions prior to 2.17.5. Although no official patch link is currently available, monitoring Drupal’s security advisories for the release of a fix is critical. In the interim, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Disable or restrict user-generated content features if feasible until patched. Conduct thorough code reviews and penetration testing focused on XSS vectors within Islandora deployments. Educate users and administrators about the risks of XSS and encourage vigilance against suspicious links or content. Additionally, consider deploying web application firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense. Finally, plan for rapid deployment of patches once released and integrate this vulnerability into incident response and vulnerability management workflows.