View online: https://www.drupal.org/sa-contrib-2026-033 Project: Obfuscate [1] Date: 2026-April-22 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross-site scripting Affected versions: <2.0.2 CVE IDs: CVE-2026-6871 Description:  This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter. Solution:  Install the latest version: * If you use the Obfuscate module, upgrade to Obfuscate 2.0.2 [3] Reported By:  * Pierre Rudloff (prudloff) [4] of the Drupal Security Team Fixed By:  * Christophe Jossart (colorfield) [5] * Nigel Cunningham (nigelcunningham) [6] Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team * Pierre Rudloff (prudloff) [9] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [10] [1] https://www.drupal.org/project/obfuscate [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/obfuscate/releases/2.0.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/colorfield [6] https://www.drupal.org/u/nigelcunningham [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://www.drupal.org/u/prudloff [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....