SA-CONTRIB-2026-016: Islandora Arbitrary File Upload + XSS — A Dangerous Chain

SA-CONTRIB-2026-016 combines two dangerous vulnerability classes in one module path: arbitrary file upload and cross-site scripting. Upload a payload through the repository interface, trigger script execution in a privileged session. That is a practical attack chain, not a theoretical one. 🚨 Danger: Arbitrary Upload + XSS Chain CVE-2026-3215 allows arbitrary file upload combined with XSS in Islandora. If you run drupal/islandora below 2.17.5, attackers can store payloads through repository interfaces and execute scripts in privileged browser sessions. Update now. Severity Snapshot SA ID CVE Severity Affected Versions Patched Version Action SA-CONTRIB-2026-016 CVE-2026-3215 Moderately Critical < 2.17.5 2.17.5 Update immediately What Happened The Drupal Security Team published SA-CONTRIB-2026-016 on February 25, 2026 for the Islandora module ( drupal/islandora ). The advisory covers both arbitrary file upload and cross-site scripting. The root cause: a validation and output handling gap