CVE-2015-6752

low

Published 2015-08-31 · Modified 2026-05-06

CVSS v3

—

CVSS v2

2.1

VIR risk

2.1

Description

Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2553977

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.drupal.org/node/2553485

Application impact

Vendor	Product	Versions
search_api_autocomplete_project	search_api_autocomplete	`7.x-1.0`
search_api_autocomplete_project	search_api_autocomplete	`7.x-1.1`
search_api_autocomplete_project	search_api_autocomplete	`7.x-1.2`

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.