Central Authentication System (CAS) Server – Less critical

4.2 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.

Basic Information

ID CVE-2026-1554

Source drupal

Published Feb 4, 2026 at 20:26

Modified Feb 5, 2026 at 15:15

Affected Product

Vendor Drupal

Product Central Authentication System (CAS) Server

Version 0.0.0

Affected Versions Drupal Central Authentication System (CAS) Server 0.0.0
Drupal Central Authentication System (CAS) Server 2.1.0

CWE Classification

CWE-91

References

www.drupal.org /sa-contrib-2026-007

{
    "lastseen": "",
    "description": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.",
    "published": "2026-02-04T20:26:38.850Z",
    "modified": "2026-02-05T15:15:29.323Z",
    "type": "cve",
    "title": "Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007",
    "source": "drupal",
    "references": "https://www.drupal.org/sa-contrib-2026-007",
    "id": "CVE-2026-1554",
    "bulletinFamily": "",
    "cwe": [
        "CWE-91"
    ],
    "cvelist": null,
    "sourceData": "Drupal Central Authentication System (CAS) Server 0.0.0\nDrupal Central Authentication System (CAS) Server 2.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.2,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Central Authentication System (CAS) Server",
    "version": "0.0.0",
    "vendor": "Drupal",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Central Authentication System (CAS) Server – Less critical – XML Element Injection – SA-CONTRIB-2026-007_CVE-2026-1554