Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1435 vulnerabilities by drupal
CERTFR-2026-AVI-0771
Vulnerability from certfr_avis - Published: 2026-06-18 - Updated: 2026-06-18
De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection SQL (SQLi) et une falsification de requêtes côté serveur (SSRF).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 10.6.x ant\u00e9rieures \u00e0 10.6.11",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions ant\u00e9rieures \u00e0 10.5.12",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.14",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.3.x ant\u00e9rieures \u00e0 11.3.12",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-55803",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55803"
},
{
"name": "CVE-2026-55807",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55807"
},
{
"name": "CVE-2026-55808",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55808"
},
{
"name": "CVE-2026-55804",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55804"
},
{
"name": "CVE-2026-55806",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55806"
}
],
"initial_release_date": "2026-06-18T00:00:00",
"last_revision_date": "2026-06-18T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0771",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection SQL (SQLi) et une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-007",
"url": "https://drupal.org/sa-core-2026-007"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-008",
"url": "https://drupal.org/sa-core-2026-008"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-003",
"url": "https://drupal.org/sa-core-2026-005"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-006",
"url": "https://drupal.org/sa-core-2026-006"
},
{
"published_at": "2026-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-009",
"url": "https://drupal.org/sa-core-2026-009"
}
]
}
CERTFR-2026-AVI-0629
Vulnerability from certfr_avis - Published: 2026-05-21 - Updated: 2026-05-21
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une injection SQL (SQLi).
L'éditeur précise que la vulnérabilité CVE-2026-9082 affecte uniquement les applications qui utilisent PostgreSQL comme système de gestion de base de données.
Cependant, il recommande néanmoins l'installation du correctif pour toutes les instances du fait des mises à jour de dépendances également incluses dans les dernières versions.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
L'éditeur rappelle que les versions 11.1.x, 11.0.x, 10.4.x, 9.x et 8.x sont en fin de vie et ne reçoivent un correctif pour la vulnérabilité CVE-2026-9082 qu'à titre exceptionnel, au vu de sa criticité.
Ces versions n'incluent pas de correctif pour toutes les autres vulnérabilités découvertes depuis leurs fins de support respectives. L'éditeur invite donc à migrer vers une version supportée et à jour.
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Drupal | Drupal | Drupal versions 11.2.x antérieures à 11.2.12 | ||
| Drupal | Drupal | Drupal versions 10.6.x antérieures à 10.6.9 | ||
| Drupal | Drupal | Drupal versions 10.x antérieures à 10.4.10 | ||
| Drupal | Drupal | Drupal versions 9.x antérieures à 9.5 sans le dernier correctif de sécurité | ||
| Drupal | Drupal | Drupal versions 11.3.x antérieures à 11.3.10 | ||
| Drupal | Drupal | Drupal versions 11.x antérieures à 11.1.10 | ||
| Drupal | Drupal | Drupal versions 8.x antérieures à 8.9 sans le dernier correctif de sécurité | ||
| Drupal | Drupal | Drupal versions 10.5.x antérieures à 10.5.10 |
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.12",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 10.6.x ant\u00e9rieures \u00e0 10.6.9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 10.x ant\u00e9rieures \u00e0 10.4.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 9.x ant\u00e9rieures \u00e0 9.5 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.3.x ant\u00e9rieures \u00e0 11.3.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.x ant\u00e9rieures \u00e0 11.1.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.x ant\u00e9rieures \u00e0 8.9 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 10.5.x ant\u00e9rieures \u00e0 10.5.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "L\u0027\u00e9diteur rappelle que les versions 11.1.x, 11.0.x, 10.4.x, 9.x et 8.x sont en fin de vie et ne re\u00e7oivent un correctif pour la vuln\u00e9rabilit\u00e9 CVE-2026-9082 qu\u0027\u00e0 titre exceptionnel, au vu de sa criticit\u00e9.\u003cbr\u003e\nCes versions n\u0027incluent pas de correctif pour toutes les autres vuln\u00e9rabilit\u00e9s d\u00e9couvertes depuis leurs fins de support respectives. L\u0027\u00e9diteur invite donc \u00e0 migrer vers une version support\u00e9e et \u00e0 jour.",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-9082",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9082"
}
],
"initial_release_date": "2026-05-21T00:00:00",
"last_revision_date": "2026-05-21T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0629",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection SQL (SQLi)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un attaquant de provoquer une injection SQL (SQLi).\n\nL\u0027\u00e9diteur pr\u00e9cise que la vuln\u00e9rabilit\u00e9 CVE-2026-9082 affecte uniquement les applications qui utilisent PostgreSQL comme syst\u00e8me de gestion de base de donn\u00e9es.\u003cbr\u003e \nCependant, il recommande n\u00e9anmoins l\u0027installation du correctif pour toutes les instances du fait des mises \u00e0 jour de d\u00e9pendances \u00e9galement incluses dans les derni\u00e8res versions.",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-004",
"url": "https://drupal.org/sa-core-2026-004"
}
]
}
CVE-2026-6816 (GCVE-0-2026-6816)
Vulnerability from nvd – Published: 2026-05-28 22:50 – Updated: 2026-05-29 18:33- CWE-267 - Privilege Defined With Unsafe Actions
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/tfa-bas… | third-party-advisory |
| https://www.herodevs.com/vulnerability-directory/… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | TFA Basic Plugins |
Affected:
7.x-1.0 , ≤ 7.x-1.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:33:12.747287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:33:20.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816?nes-for-drupal-7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa_basic",
"defaultStatus": "unknown",
"product": "TFA Basic Plugins",
"repo": "https://git.drupalcode.org/project/tfa_basic",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.2",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\u003cbr\u003e\u003cp\u003eThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.\u003c/p\u003e"
}
],
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\n\n\nThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:50:49.419Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"name": "Drupal security advisory SA-CONTRIB-2025-085",
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TFA Basic Plugins - Access Bypass",
"x_generator": {
"engine": "Vulnogram 0.5.0",
"note": "Draft record revised for CVE-2026-6816 as a standalone TFA Basic Plugins CVE based on Drupal.org issue #3577095."
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6816",
"datePublished": "2026-05-28T22:50:49.419Z",
"dateReserved": "2026-04-21T19:10:28.105Z",
"dateUpdated": "2026-05-29T18:33:20.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5343 (GCVE-0-2026-5343)
Vulnerability from nvd – Published: 2026-05-28 22:48 – Updated: 2026-05-29 18:38- CWE-754 - Improper Check for Unusual or Exceptional Conditions
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | SAML SSO - Service Provider |
Affected:
0.0.0 , < 3.1.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:38:28.307589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:38:36.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_saml",
"defaultStatus": "unaffected",
"product": "SAML SSO - Service Provider",
"repo": "https://git.drupalcode.org/project/miniorange_saml",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.1.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim de Jong | Freelance Drupal Developer (tim_dj)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-01T16:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\u003cp\u003eThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\n\nThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:48:47.591Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-031"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-5343",
"datePublished": "2026-05-28T22:48:47.591Z",
"dateReserved": "2026-04-01T15:41:53.003Z",
"dateUpdated": "2026-05-29T18:38:36.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4929 (GCVE-0-2026-4929)
Vulnerability from nvd – Published: 2026-05-21 21:48 – Updated: 2026-05-22 12:52- Cross-site Scripting (XSS)
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/simple-… | third-party-advisory |
| https://www.herodevs.com/vulnerability-directory/… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Simple Hierarchical Select (shs) |
Affected:
7.x-1.0 , < 7.x-1.11
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T12:52:40.007115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T12:52:46.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/shs",
"defaultStatus": "unknown",
"product": "Simple Hierarchical Select (shs)",
"repo": "https://git.drupalcode.org/project/shs",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.x-1.11",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Reporter: Ra M\u00e4nd (ram4nd)"
}
],
"datePublic": "2026-03-03T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSimple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.\u003cbr\u003eThis affects versions from 7.x-1.0 through (and including) 7.x-1.10.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.\nThis affects versions from 7.x-1.0 through (and including) 7.x-1.10."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T21:48:23.461Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"name": "NES patch branch comparison",
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-4929"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Simple Hierarchical Select (Drupal 7) XSS in term-derived output",
"x_generator": {
"engine": "Vulnogram 0.5.0",
"note": "Draft from issue PDF and local SHS patch evidence; replace CVE ID/assigner metadata before publication."
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-4929",
"datePublished": "2026-05-21T21:48:23.461Z",
"dateReserved": "2026-03-26T19:18:14.271Z",
"dateUpdated": "2026-05-22T12:52:46.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4093 (GCVE-0-2026-4093)
Vulnerability from nvd – Published: 2026-05-21 21:50 – Updated: 2026-05-22 13:24- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/taxonom… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Term Reference Tree |
Affected:
7.x-1.x , ≤ 7.x-1.11
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T13:23:03.434925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T13:24:04.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/term_reference_tree",
"defaultStatus": "unaffected",
"packageName": "Term Reference Tree",
"product": "Term Reference Tree",
"repo": "https://git.drupalcode.org/project/term_reference_tree",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.11",
"status": "affected",
"version": "7.x-1.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-01T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eVector A (token display templates):\u003c/b\u003e When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eVector B (term label rendering):\u003c/b\u003e Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.\u003cbr\u003e\u003cbr\u003eExploit affects versions 7.x-1.x up to and including 7.x-1.11."
}
],
"value": "In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.\n\nVector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.\n\nVector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.\n\nExploit affects versions 7.x-1.x up to and including 7.x-1.11."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T21:50:42.339Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-4093"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-4093",
"datePublished": "2026-05-21T21:50:42.339Z",
"dateReserved": "2026-03-12T22:40:32.279Z",
"dateUpdated": "2026-05-22T13:24:04.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9082 (GCVE-0-2026-9082)
Vulnerability from nvd – Published: 2026-05-20 18:20 – Updated: 2026-05-23 03:55- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| URL | Tags |
|---|---|
| https://www.drupal.org/sa-core-2026-004 | |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.9.0 , < 10.4.10
(semver)
Affected: 10.5.0 , < 10.5.10 (semver) Affected: 10.6.0 , < 10.6.9 (semver) Affected: 11.0.0 , < 11.1.10 (semver) Affected: 11.2.0 , < 11.2.12 (semver) Affected: 11.3.0 , < 11.3.10 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9082",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-22",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:38.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T00:00:00.000Z",
"value": "CVE-2026-9082 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.10",
"status": "affected",
"version": "8.9.0",
"versionType": "semver"
},
{
"lessThan": "10.5.10",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "10.6.9",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.1.10",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.12",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.10",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bj\u00f6rn Brala (bbrala)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine Deelstra (heine)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tim Hestenes Lehnen (hestenet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2026-05-20T18:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Drupal core allows SQL Injection.\u003cp\u003eThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Drupal core allows SQL Injection.\n\nThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:43:22.299Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Highly critical - SQL injection - SA-CORE-2026-004",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-9082",
"datePublished": "2026-05-20T18:20:52.863Z",
"dateReserved": "2026-05-20T13:35:13.119Z",
"dateUpdated": "2026-05-23T03:55:38.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8495 (GCVE-0-2026-8495)
Vulnerability from nvd – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-862 - Missing Authorization
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:52:33.388595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:44.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/date_ical",
"defaultStatus": "unaffected",
"product": "Date iCal",
"repo": "https://git.drupalcode.org/project/date_ical",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.0.15",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jo\u00c3\u00abl Pittet (joelpittet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-05-13T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\u003cp\u003eThis issue affects Date iCal: from 0.0.0 before 4.0.15.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\n\nThis issue affects Date iCal: from 0.0.0 before 4.0.15."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:50.850Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-037"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8495",
"datePublished": "2026-05-19T22:29:50.850Z",
"dateReserved": "2026-05-13T16:55:31.986Z",
"dateUpdated": "2026-05-20T16:35:44.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8493 (GCVE-0-2026-8493)
Vulnerability from nvd – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Colorbox Inline |
Affected:
0.0.0 , < 2.1.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:54:28.252059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:50.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/colorbox_inline",
"defaultStatus": "unaffected",
"product": "Colorbox Inline",
"repo": "https://git.drupalcode.org/project/colorbox_inline",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Harris (miwayha)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-05-13T17:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Colorbox Inline: from 0.0.0 before 2.1.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).\n\nThis issue affects Colorbox Inline: from 0.0.0 before 2.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:31.032Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-036"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8493",
"datePublished": "2026-05-19T22:29:31.032Z",
"dateReserved": "2026-05-13T15:43:29.219Z",
"dateUpdated": "2026-05-20T16:35:50.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8492 (GCVE-0-2026-8492)
Vulnerability from nvd – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-471 - Modification of Assumed-Immutable Data (MAID)
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Translate Drupal with GTranslate |
Affected:
0.0.0 , < 3.0.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T16:17:26.016749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:56.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/gtranslate",
"defaultStatus": "unaffected",
"product": "Translate Drupal with GTranslate",
"repo": "https://git.drupalcode.org/project/gtranslate",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Edvard Ananyan (edo888)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-05-13T17:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.\u003cp\u003eThis issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.\u003c/p\u003e"
}
],
"value": "Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.\n\nThis issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-154",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-154 Resource Location Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "CWE-471 Modification of Assumed-Immutable Data (MAID)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:14.483Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-035"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8492",
"datePublished": "2026-05-19T22:29:14.483Z",
"dateReserved": "2026-05-13T15:43:27.852Z",
"dateUpdated": "2026-05-20T16:35:56.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8491 (GCVE-0-2026-8491)
Vulnerability from nvd – Published: 2026-05-19 22:28 – Updated: 2026-05-20 16:36- CWE-754 - Improper Check for Unusual or Exceptional Conditions
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Node View Permissions |
Affected:
0.0.0 , < 1.7.0
(semver)
Affected: 2.0.0 , < 2.0.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T16:32:33.990332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:36:03.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/node_view_permissions",
"defaultStatus": "unaffected",
"product": "Node View Permissions",
"repo": "https://git.drupalcode.org/project/node_view_permissions",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Shepherd (adamps)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00c3\u00a1lint Nagy (nagy.balint)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-05-13T17:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing.\u003cp\u003eThis issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing.\n\nThis issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:28:58.101Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-034"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8491",
"datePublished": "2026-05-19T22:28:58.101Z",
"dateReserved": "2026-05-13T15:43:26.500Z",
"dateUpdated": "2026-05-20T16:36:03.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6871 (GCVE-0-2026-6871)
Vulnerability from nvd – Published: 2026-05-19 22:28 – Updated: 2026-05-20 13:22- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:21:42.219773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:22:00.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/obfuscate",
"defaultStatus": "unaffected",
"product": "Obfuscate",
"repo": "https://git.drupalcode.org/project/obfuscate",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christophe Jossart (colorfield)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nigel Cunningham (nigelcunningham)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-04-22T17:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Obfuscate: from 0.0.0 before 2.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS).\n\nThis issue affects Obfuscate: from 0.0.0 before 2.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:28:40.232Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-033"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6871",
"datePublished": "2026-05-19T22:28:40.232Z",
"dateReserved": "2026-04-22T16:45:04.896Z",
"dateUpdated": "2026-05-20T13:22:00.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6367 (GCVE-0-2026-6367)
Vulnerability from nvd – Published: 2026-05-19 22:28 – Updated: 2026-06-22 15:07- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
11.3.0 , < 11.3.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:33:57.976222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:34:14.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cantina_security"
},
{
"lang": "en",
"type": "finder",
"value": "Dries Buytaert (dries)"
},
{
"lang": "en",
"type": "finder",
"value": "Shirsendu Mondal"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "finder",
"value": "Dmitrijs Trizna (dtrizna)"
}
],
"datePublic": "2026-04-15T19:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 11.3.0 before 11.3.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\n\nThis issue affects Drupal core: from 11.3.0 before 11.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:07:43.029Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6367",
"datePublished": "2026-05-19T22:28:07.470Z",
"dateReserved": "2026-04-15T14:39:29.058Z",
"dateUpdated": "2026-06-22T15:07:43.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6366 (GCVE-0-2026-6366)
Vulnerability from nvd – Published: 2026-05-19 22:27 – Updated: 2026-05-21 03:55- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.5.9
(semver)
Affected: 10.6.0 , < 10.6.7 (semver) Affected: 11.0.0 , < 11.2.11 (semver) Affected: 11.3.0 , < 11.3.7 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T03:55:14.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.7",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.11",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Truong Le (hswww)"
},
{
"lang": "en",
"type": "finder",
"value": "menon"
},
{
"lang": "en",
"type": "finder",
"value": "t-chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-15T19:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:27:46.454Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6366",
"datePublished": "2026-05-19T22:27:46.454Z",
"dateReserved": "2026-04-15T14:39:27.643Z",
"dateUpdated": "2026-05-21T03:55:14.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6365 (GCVE-0-2026-6365)
Vulnerability from nvd – Published: 2026-05-19 22:27 – Updated: 2026-05-20 13:35- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.5.9
(semver)
Affected: 10.6.0 , < 10.6.7 (semver) Affected: 11.0.0 , < 11.2.11 (semver) Affected: 11.3.0 , < 11.3.7 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:34:54.507498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:35:14.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.7",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.11",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Murat Keki\u00c3\u00a7 (murat_kekic)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Hess (mlhess)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Zhao (pandaski)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-15T19:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:27:21.046Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6365",
"datePublished": "2026-05-19T22:27:21.046Z",
"dateReserved": "2026-04-15T14:39:26.232Z",
"dateUpdated": "2026-05-20T13:35:14.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6095 (GCVE-0-2026-6095)
Vulnerability from nvd – Published: 2026-05-19 22:26 – Updated: 2026-05-20 13:35- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:35:27.428157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:35:49.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/orejime",
"defaultStatus": "unaffected",
"product": "Orejime",
"repo": "https://git.drupalcode.org/project/orejime",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.16",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabien Gutknecht (fabsgugu)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-08T16:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Orejime: from 0.0.0 before 2.0.16.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS).\n\nThis issue affects Orejime: from 0.0.0 before 2.0.16."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:26:40.585Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-032"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6095",
"datePublished": "2026-05-19T22:26:40.585Z",
"dateReserved": "2026-04-10T16:50:48.630Z",
"dateUpdated": "2026-05-20T13:35:49.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6816 (GCVE-0-2026-6816)
Vulnerability from cvelistv5 – Published: 2026-05-28 22:50 – Updated: 2026-05-29 18:33- CWE-267 - Privilege Defined With Unsafe Actions
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/tfa-bas… | third-party-advisory |
| https://www.herodevs.com/vulnerability-directory/… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | TFA Basic Plugins |
Affected:
7.x-1.0 , ≤ 7.x-1.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:33:12.747287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:33:20.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816?nes-for-drupal-7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa_basic",
"defaultStatus": "unknown",
"product": "TFA Basic Plugins",
"repo": "https://git.drupalcode.org/project/tfa_basic",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.2",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\u003cbr\u003e\u003cp\u003eThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.\u003c/p\u003e"
}
],
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\n\n\nThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:50:49.419Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"name": "Drupal security advisory SA-CONTRIB-2025-085",
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TFA Basic Plugins - Access Bypass",
"x_generator": {
"engine": "Vulnogram 0.5.0",
"note": "Draft record revised for CVE-2026-6816 as a standalone TFA Basic Plugins CVE based on Drupal.org issue #3577095."
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6816",
"datePublished": "2026-05-28T22:50:49.419Z",
"dateReserved": "2026-04-21T19:10:28.105Z",
"dateUpdated": "2026-05-29T18:33:20.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5343 (GCVE-0-2026-5343)
Vulnerability from cvelistv5 – Published: 2026-05-28 22:48 – Updated: 2026-05-29 18:38- CWE-754 - Improper Check for Unusual or Exceptional Conditions
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | SAML SSO - Service Provider |
Affected:
0.0.0 , < 3.1.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:38:28.307589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:38:36.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_saml",
"defaultStatus": "unaffected",
"product": "SAML SSO - Service Provider",
"repo": "https://git.drupalcode.org/project/miniorange_saml",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.1.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim de Jong | Freelance Drupal Developer (tim_dj)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-01T16:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\u003cp\u003eThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\n\nThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:48:47.591Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-031"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-5343",
"datePublished": "2026-05-28T22:48:47.591Z",
"dateReserved": "2026-04-01T15:41:53.003Z",
"dateUpdated": "2026-05-29T18:38:36.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4093 (GCVE-0-2026-4093)
Vulnerability from cvelistv5 – Published: 2026-05-21 21:50 – Updated: 2026-05-22 13:24- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/taxonom… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Term Reference Tree |
Affected:
7.x-1.x , ≤ 7.x-1.11
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T13:23:03.434925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T13:24:04.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/term_reference_tree",
"defaultStatus": "unaffected",
"packageName": "Term Reference Tree",
"product": "Term Reference Tree",
"repo": "https://git.drupalcode.org/project/term_reference_tree",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.11",
"status": "affected",
"version": "7.x-1.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-01T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eVector A (token display templates):\u003c/b\u003e When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eVector B (term label rendering):\u003c/b\u003e Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.\u003cbr\u003e\u003cbr\u003eExploit affects versions 7.x-1.x up to and including 7.x-1.11."
}
],
"value": "In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.\n\nVector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.\n\nVector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.\n\nExploit affects versions 7.x-1.x up to and including 7.x-1.11."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T21:50:42.339Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-4093"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-4093",
"datePublished": "2026-05-21T21:50:42.339Z",
"dateReserved": "2026-03-12T22:40:32.279Z",
"dateUpdated": "2026-05-22T13:24:04.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4929 (GCVE-0-2026-4929)
Vulnerability from cvelistv5 – Published: 2026-05-21 21:48 – Updated: 2026-05-22 12:52- Cross-site Scripting (XSS)
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/simple-… | third-party-advisory |
| https://www.herodevs.com/vulnerability-directory/… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Simple Hierarchical Select (shs) |
Affected:
7.x-1.0 , < 7.x-1.11
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T12:52:40.007115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T12:52:46.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/shs",
"defaultStatus": "unknown",
"product": "Simple Hierarchical Select (shs)",
"repo": "https://git.drupalcode.org/project/shs",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.x-1.11",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Reporter: Ra M\u00e4nd (ram4nd)"
}
],
"datePublic": "2026-03-03T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSimple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.\u003cbr\u003eThis affects versions from 7.x-1.0 through (and including) 7.x-1.10.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.\nThis affects versions from 7.x-1.0 through (and including) 7.x-1.10."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T21:48:23.461Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"name": "NES patch branch comparison",
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-4929"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Simple Hierarchical Select (Drupal 7) XSS in term-derived output",
"x_generator": {
"engine": "Vulnogram 0.5.0",
"note": "Draft from issue PDF and local SHS patch evidence; replace CVE ID/assigner metadata before publication."
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-4929",
"datePublished": "2026-05-21T21:48:23.461Z",
"dateReserved": "2026-03-26T19:18:14.271Z",
"dateUpdated": "2026-05-22T12:52:46.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9082 (GCVE-0-2026-9082)
Vulnerability from cvelistv5 – Published: 2026-05-20 18:20 – Updated: 2026-05-23 03:55- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| URL | Tags |
|---|---|
| https://www.drupal.org/sa-core-2026-004 | |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.9.0 , < 10.4.10
(semver)
Affected: 10.5.0 , < 10.5.10 (semver) Affected: 10.6.0 , < 10.6.9 (semver) Affected: 11.0.0 , < 11.1.10 (semver) Affected: 11.2.0 , < 11.2.12 (semver) Affected: 11.3.0 , < 11.3.10 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9082",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-22",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:38.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-9082"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T00:00:00.000Z",
"value": "CVE-2026-9082 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.10",
"status": "affected",
"version": "8.9.0",
"versionType": "semver"
},
{
"lessThan": "10.5.10",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "10.6.9",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.1.10",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.12",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.10",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bj\u00f6rn Brala (bbrala)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine Deelstra (heine)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tim Hestenes Lehnen (hestenet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2026-05-20T18:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Drupal core allows SQL Injection.\u003cp\u003eThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Drupal core allows SQL Injection.\n\nThis issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T17:43:22.299Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Highly critical - SQL injection - SA-CORE-2026-004",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-9082",
"datePublished": "2026-05-20T18:20:52.863Z",
"dateReserved": "2026-05-20T13:35:13.119Z",
"dateUpdated": "2026-05-23T03:55:38.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8495 (GCVE-0-2026-8495)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-862 - Missing Authorization
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:52:33.388595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:44.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/date_ical",
"defaultStatus": "unaffected",
"product": "Date iCal",
"repo": "https://git.drupalcode.org/project/date_ical",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.0.15",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jo\u00c3\u00abl Pittet (joelpittet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-05-13T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\u003cp\u003eThis issue affects Date iCal: from 0.0.0 before 4.0.15.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\n\nThis issue affects Date iCal: from 0.0.0 before 4.0.15."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:50.850Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-037"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8495",
"datePublished": "2026-05-19T22:29:50.850Z",
"dateReserved": "2026-05-13T16:55:31.986Z",
"dateUpdated": "2026-05-20T16:35:44.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8493 (GCVE-0-2026-8493)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Colorbox Inline |
Affected:
0.0.0 , < 2.1.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:54:28.252059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:50.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/colorbox_inline",
"defaultStatus": "unaffected",
"product": "Colorbox Inline",
"repo": "https://git.drupalcode.org/project/colorbox_inline",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Harris (miwayha)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-05-13T17:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Colorbox Inline: from 0.0.0 before 2.1.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS).\n\nThis issue affects Colorbox Inline: from 0.0.0 before 2.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:31.032Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-036"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8493",
"datePublished": "2026-05-19T22:29:31.032Z",
"dateReserved": "2026-05-13T15:43:29.219Z",
"dateUpdated": "2026-05-20T16:35:50.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8492 (GCVE-0-2026-8492)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35- CWE-471 - Modification of Assumed-Immutable Data (MAID)
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Translate Drupal with GTranslate |
Affected:
0.0.0 , < 3.0.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T16:17:26.016749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:35:56.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/gtranslate",
"defaultStatus": "unaffected",
"product": "Translate Drupal with GTranslate",
"repo": "https://git.drupalcode.org/project/gtranslate",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Edvard Ananyan (edo888)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-05-13T17:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.\u003cp\u003eThis issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.\u003c/p\u003e"
}
],
"value": "Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.\n\nThis issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-154",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-154 Resource Location Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "CWE-471 Modification of Assumed-Immutable Data (MAID)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:29:14.483Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-035"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8492",
"datePublished": "2026-05-19T22:29:14.483Z",
"dateReserved": "2026-05-13T15:43:27.852Z",
"dateUpdated": "2026-05-20T16:35:56.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8491 (GCVE-0-2026-8491)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:28 – Updated: 2026-05-20 16:36- CWE-754 - Improper Check for Unusual or Exceptional Conditions
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Node View Permissions |
Affected:
0.0.0 , < 1.7.0
(semver)
Affected: 2.0.0 , < 2.0.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T16:32:33.990332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:36:03.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/node_view_permissions",
"defaultStatus": "unaffected",
"product": "Node View Permissions",
"repo": "https://git.drupalcode.org/project/node_view_permissions",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Shepherd (adamps)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00c3\u00a1lint Nagy (nagy.balint)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-05-13T17:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing.\u003cp\u003eThis issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing.\n\nThis issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:28:58.101Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-034"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-8491",
"datePublished": "2026-05-19T22:28:58.101Z",
"dateReserved": "2026-05-13T15:43:26.500Z",
"dateUpdated": "2026-05-20T16:36:03.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6871 (GCVE-0-2026-6871)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:28 – Updated: 2026-05-20 13:22- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:21:42.219773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:22:00.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/obfuscate",
"defaultStatus": "unaffected",
"product": "Obfuscate",
"repo": "https://git.drupalcode.org/project/obfuscate",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christophe Jossart (colorfield)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nigel Cunningham (nigelcunningham)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-04-22T17:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Obfuscate: from 0.0.0 before 2.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS).\n\nThis issue affects Obfuscate: from 0.0.0 before 2.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:28:40.232Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-033"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6871",
"datePublished": "2026-05-19T22:28:40.232Z",
"dateReserved": "2026-04-22T16:45:04.896Z",
"dateUpdated": "2026-05-20T13:22:00.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6367 (GCVE-0-2026-6367)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:28 – Updated: 2026-06-22 15:07- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
11.3.0 , < 11.3.7
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:33:57.976222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:34:14.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cantina_security"
},
{
"lang": "en",
"type": "finder",
"value": "Dries Buytaert (dries)"
},
{
"lang": "en",
"type": "finder",
"value": "Shirsendu Mondal"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "finder",
"value": "Dmitrijs Trizna (dtrizna)"
}
],
"datePublic": "2026-04-15T19:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 11.3.0 before 11.3.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\n\nThis issue affects Drupal core: from 11.3.0 before 11.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:07:43.029Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6367",
"datePublished": "2026-05-19T22:28:07.470Z",
"dateReserved": "2026-04-15T14:39:29.058Z",
"dateUpdated": "2026-06-22T15:07:43.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6366 (GCVE-0-2026-6366)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:27 – Updated: 2026-05-21 03:55- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.5.9
(semver)
Affected: 10.6.0 , < 10.6.7 (semver) Affected: 11.0.0 , < 11.2.11 (semver) Affected: 11.3.0 , < 11.3.7 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T03:55:14.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.7",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.11",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Truong Le (hswww)"
},
{
"lang": "en",
"type": "finder",
"value": "menon"
},
{
"lang": "en",
"type": "finder",
"value": "t-chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-15T19:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:27:46.454Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6366",
"datePublished": "2026-05-19T22:27:46.454Z",
"dateReserved": "2026-04-15T14:39:27.643Z",
"dateUpdated": "2026-05-21T03:55:14.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6365 (GCVE-0-2026-6365)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:27 – Updated: 2026-05-20 13:35- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.5.9
(semver)
Affected: 10.6.0 , < 10.6.7 (semver) Affected: 11.0.0 , < 11.2.11 (semver) Affected: 11.3.0 , < 11.3.7 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:34:54.507498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:35:14.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.7",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.11",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.3.7",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Murat Keki\u00c3\u00a7 (murat_kekic)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Hess (mlhess)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Zhao (pandaski)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-15T19:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:27:21.046Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6365",
"datePublished": "2026-05-19T22:27:21.046Z",
"dateReserved": "2026-04-15T14:39:26.232Z",
"dateUpdated": "2026-05-20T13:35:14.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6095 (GCVE-0-2026-6095)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:26 – Updated: 2026-05-20 13:35- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:35:27.428157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:35:49.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/orejime",
"defaultStatus": "unaffected",
"product": "Orejime",
"repo": "https://git.drupalcode.org/project/orejime",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.16",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabien Gutknecht (fabsgugu)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-04-08T16:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Orejime: from 0.0.0 before 2.0.16.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS).\n\nThis issue affects Orejime: from 0.0.0 before 2.0.16."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:26:40.585Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-032"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6095",
"datePublished": "2026-05-19T22:26:40.585Z",
"dateReserved": "2026-04-10T16:50:48.630Z",
"dateUpdated": "2026-05-20T13:35:49.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}