Review: Responsive Favicons Persistent XSS in Drupal (SA-CONTRIB-2026-019)
The Hook SA-CONTRIB-2026-019 is a persistent XSS issue in Responsive Favicons where administrator-entered text was not properly filtered.
What Happened
On February 25, 2026, Drupal published SA-CONTRIB-2026-019 for the Responsive Favicons module (drupal/responsive_favicons), classified as Moderately critical cross-site scripting.
The advisory states the vulnerability is mitigated by requiring the administer responsive favicons permission, but that is still a meaningful risk in real teams where admin-level access is delegated or compromised.
Affected Scope
- Affected versions:
< 2.0.2 - Fixed version:
2.0.2 - CVE:
CVE-2026-3218 - Advisory ID:
SA-CONTRIB-2026-019 - Published date:
2026-02-25
Why This Matters for Drupal 10/11 and Drupal CMS Persistent XSS on any administrative configuration surface can become a pivot point: payloads can execute in privileged sessions, tamper with workflows, and expose tokens or sensitive UI actions. The permission boundary helps, but it does not eliminate impact if privileged accounts are phished, reused, or overly broad.
Required Mitigations
- Verify installed version:
composer show drupal/responsive_favicons
- Upgrade immediately if version is below
2.0.2:composer require drupal/responsive_favicons:^2.0.2
- Rebuild caches after update:
drush cr
- Restrict the sensitive permission:
- Ensure
administer responsive faviconsis granted only to tightly controlled admin roles.
- Ensure
- Audit recent configuration changes:
- Review favicon-related settings and admin activity logs for suspicious injected markup.
- Regression-check admin UI rendering:
- Confirm configuration values are displayed safely and no injected script executes in admin pages.
Bottom Line
If your site runs Responsive Favicons below 2.0.2, this is immediate patch work. Upgrade first, then tighten administer responsive favicons assignment to the smallest possible set of trusted roles.