Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Description

Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.

Affected Products

Vendor	Product	Versions
drupal	avatar_uploader	7.0-1.0-beta8

References

https://www.exploit-db.com/exploits/50841(exploit)
https://www.drupal.org/project/avatar_uploader(product)
https://www.vulncheck.com/advisories/drupal-avatar-uploader-7-x-beta8-reflected-xss(third-party-advisory)

Related News (1 articles)

Tier C

VulDB3d ago

CVE-2022-50957 | avatar_uploader 7.0-1.0-beta8 on Drupal avatar_uploader.pages.inc File cross site scripting (Exploit 50841 / EDB-50841)

→ No new info (linked only)

CVSS 3.16.1 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-79

PublishedMay 10, 2026

Last enriched3d agov2

Trending Score28

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (1)

Version History

Last enriched 3d ago

v2Tier C3d ago

Updated vendor to Drupal, changed severity to HIGH, marked exploit as available, and noted active exploitation.

descriptionseverityexploitAvailableactivelyExploited

via VulDB

v13d ago

Initial creation