CVE-2026-1554

MEDIUM

Jtenman Central Authentication System Server - Privilege Escalation

Title source: rule

Description

XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.

References (1)

[Vendor Advisory] https://www.drupal.org/sa-contrib-2026-007

Scores

CVSS v3 4.2

EPSS 0.0004

EPSS Percentile 13.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-91

Status published

Affected Products (1)

jtenman/central_authentication_system_server < 2.0.3

Timeline

Published Feb 04, 2026

Tracked Since Feb 18, 2026