CVE-2026-1554

{"id": "CVE-2026-1554", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.6}]}, "published": "2026-02-04T21:15:59.427", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-007", "tags": ["Vendor Advisory"], "source": "mlhess@drupal.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "mlhess@drupal.org", "description": [{"lang": "en", "value": "CWE-91"}]}], "descriptions": [{"lang": "en", "value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2."}, {"lang": "es", "value": "Inyecci\u00f3n XML (tambi\u00e9n conocida como Inyecci\u00f3n XPath Ciega) vulnerabilidad en el servidor del Sistema de Autenticaci\u00f3n Central (CAS) de Drupal permite la escalada de privilegios. Este problema afecta al servidor del Sistema de Autenticaci\u00f3n Central (CAS): desde 0.0.0 anterior a 2.0.3, desde 2.1.0 anterior a 2.1.2."}], "lastModified": "2026-02-11T19:18:19.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jtenman:central_authentication_system_server:*:*:*:*:*:drupal:*:*", "vulnerable": true, "matchCriteriaId": "667508E4-C557-47F0-8038-58B3CAF1851E", "versionEndExcluding": "2.0.3"}, {"criteria": "cpe:2.3:a:jtenman:central_authentication_system_server:*:*:*:*:*:drupal:*:*", "vulnerable": true, "matchCriteriaId": "1925AABB-E45D-40EC-9357-07091200BF4B", "versionEndExcluding": "2.1.2", "versionStartIncluding": "2.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "mlhess@drupal.org"}