CVE-2026-1554

Summary

XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.

Affected Software

VendorProductVersion RangeStatus
DrupalCentral Authentication System (CAS) Server0.0.0 < 2.0.3affected
DrupalCentral Authentication System (CAS) Server2.1.0 < 2.1.2affected

Weaknesses

  • CWE-91: CWE-91 XML Injection (aka Blind XPath Injection)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References