Skip to main content

Review: Islandora Arbitrary File Upload + XSS in Drupal (SA-CONTRIB-2026-016)

· 2 min read
Victor Jimenez
Victor Jimenez
Software Engineer & AI Agent Builder

The Hook SA-CONTRIB-2026-016 combines two dangerous classes in one module path: arbitrary file upload and cross-site scripting (XSS), which can quickly escalate from content abuse to account and session impact.

What Happened The Drupal Security Team published SA-CONTRIB-2026-016 on February 25, 2026 for the Islandora module (drupal/islandora). The advisory is marked moderately critical and classified as arbitrary file upload and cross-site scripting.

The issue is a validation/output handling gap across upload and render paths, creating conditions where attacker-controlled files or payloads can be stored and later executed in browser contexts.

Affected Scope

  • Affected versions: <2.17.5
  • Fixed version: 2.17.5
  • CVE: CVE-2026-3215
  • Advisory ID: SA-CONTRIB-2026-016

Why This Matters for Drupal 10/11 and Drupal CMS Islandora deployments typically manage high-value repository assets and editorial workflows. Upload weakness plus XSS is a practical chain: introduce payloads through repository interfaces, then trigger script execution in privileged sessions.

Fast Triage Checklist

  1. Check installed version:
    • composer show drupal/islandora
  2. Patch immediately if running <2.17.5:
    • composer require drupal/islandora:^2.17.5
  3. Clear caches after update:
    • drush cr
  4. Review permissions and upload workflows:
    • drush role:perm | grep -Ei "islandora|media|upload"
  5. Run focused regression checks:
    • Confirm legitimate uploads still succeed in Islandora ingest paths.
    • Confirm uploaded content cannot execute scripts in rendered output or previews.

Bottom Line If your site runs Islandora below 2.17.5, treat this as active patch work. Upgrade first, then validate upload and rendering paths under real editorial workflows.

References