PatchSiren cyber security CVE debrief
CVE-2026-8492 Drupal CVE debrief
CVE-2026-8492 is a low-severity Modification of Assumed-Immutable Data (MAID) issue affecting Translate Drupal with GTranslate versions before 3.0.5. According to the published description, the flaw can lead to Resource Location Spoofing, which may cause users or systems to trust a misleading resource location. The NVD entry is still marked "Undergoing Analysis," so defensive teams should treat the current impact description as preliminary and rely on the vendor advisory for confirmation and remediation guidance.
- Vendor
- Drupal
- Product
- Translate Drupal with GTranslate
- CVSS
- LOW 2.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Drupal site owners and administrators using Translate Drupal with GTranslate, especially environments that expose translated content or rely on links/resource locations presented by the module. Security teams responsible for Drupal extension inventory and change management should also review this issue.
Technical summary
The available record describes a MAID weakness in Translate Drupal with GTranslate before 3.0.5. NVD lists the issue with CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, indicating network reachability, low attack complexity, and high privileges required, with limited integrity impact and no direct confidentiality or availability impact. The cited weakness is CWE-471. The published vendor reference is a Drupal security advisory, which should be treated as the authoritative source for exact affected behavior and fix details.
Defensive priority
Low. The issue appears limited in impact and requires high privileges, but it still warrants routine patching because it affects content/resource trust and is fixed in a specific release boundary (before 3.0.5).
Recommended defensive actions
- Upgrade Translate Drupal with GTranslate to version 3.0.5 or later.
- Inventory Drupal instances to identify any deployment using Translate Drupal with GTranslate before the fixed version.
- Review translated pages and resource links for any signs of misleading or unexpected locations if the module was used in production.
- Monitor the Drupal security advisory for any clarification or follow-up guidance while NVD remains "Undergoing Analysis."
- If immediate upgrade is not possible, limit administrative access to the affected Drupal installation and validate content/resource destinations before publishing.
Evidence notes
Source evidence is limited to the NVD CVE record and the linked Drupal advisory reference. The NVD metadata identifies the vulnerability as MAID-related, assigns CWE-471, and provides the version boundary "from 0.0.0 before 3.0.5." The CVE was published on 2026-05-19T23:16:58.860Z and modified on 2026-05-20T18:16:28.137Z; these dates are used as the issue timeline. No exploit details or additional product behavior were included beyond the supplied record.
Official resources
-
CVE-2026-8492 CVE record
CVE.org
-
CVE-2026-8492 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published publicly on 2026-05-19T23:16:58.860Z; modified on 2026-05-20T18:16:28.137Z. The record was still marked "Undergoing Analysis" in NVD at the time of the supplied source snapshot.