View online: https://www.drupal.org/sa-contrib-2026-019 Project: Responsive Favicons [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site scripting Affected versions: <2.0.2 CVE IDs: CVE-2026-3218 Description:  This module adds the favicons generated by realfavicongenerator.net to your Drupal site. The module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive favicons". Solution:  Install the latest version, then confirm the permissions associated with the module are assigned to appropriate roles. * If you use the Responsive Favicons module version 2.0.1 or lower, upgrade to Responsive Favicons 2.0.2 [3]. * 4.x and 3.x branches are not affected by this vulnerability. Reported By:  * Simon Bäse (simonbaese) [4] Fixed By:  * Frank Mably (mably) [5] * Sean Hamlin (wiifm) [6] Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team * Jess (xjm) [9] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [10] [1] https://www.drupal.org/project/responsive_favicons [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/responsive_favicons/releases/2.0.2 [4] https://www.drupal.org/u/simonbaese [5] https://www.drupal.org/u/mably [6] https://www.drupal.org/u/wiifm [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://www.drupal.org/u/xjm [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....