Search criteria
617 vulnerabilities by drupal
CVE-2026-1554 (GCVE-0-2026-1554)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-05 15:15
VLAI?
Title
Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007
Summary
XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
Severity ?
4.2 (Medium)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Central Authentication System (CAS) Server |
Affected:
0.0.0 , < 2.0.3
(semver)
Affected: 2.1.0 , < 2.1.2 (semver) |
Credits
Gaël Gosset (gaëlg)
Ted Cooper (elc)
Gaël Gosset (gaëlg)
Jaap Jansma (jaapjansma)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:14:46.442485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:15:29.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/cas_server",
"defaultStatus": "unaffected",
"product": "Central Authentication System (CAS) Server",
"repo": "https://git.drupalcode.org/project/cas_server",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.1.2",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ted Cooper (elc)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jaap Jansma (jaapjansma)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-28T17:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.\u003cp\u003eThis issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.\u003c/p\u003e"
}
],
"value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91 XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:38.850Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1554",
"datePublished": "2026-02-04T20:26:38.850Z",
"dateReserved": "2026-01-28T17:01:09.595Z",
"dateUpdated": "2026-02-05T15:15:29.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1553 (GCVE-0-2026-1553)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-04 21:21
VLAI?
Title
Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
Summary
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
Severity ?
4.8 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.0.4
(semver)
|
Credits
jschref
Bálint Kléri (balintbrews)
Matt Glaman (mglaman)
Christian López EspÃnola (penyaskito)
Tim Plunkett (tim.plunkett)
Alex Bronstein (effulgentsia)
Greg Knaddison (greggles)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:21:13.798297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:21:35.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"defaultStatus": "unaffected",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jschref"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Matt Glaman (mglaman)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tim Plunkett (tim.plunkett)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alex Bronstein (effulgentsia)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2026-01-28T17:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal Canvas: from 0.0.0 before 1.0.4.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:22.334Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1553",
"datePublished": "2026-02-04T20:26:22.334Z",
"dateReserved": "2026-01-28T17:01:08.406Z",
"dateUpdated": "2026-02-04T21:21:35.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0948 (GCVE-0-2026-0948)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-04 21:23
VLAI?
Title
Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
Severity ?
6.5 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Microsoft Entra ID SSO Login |
Affected:
0.0.0 , < 1.0.4
(semver)
|
Credits
Ashish Verma (ashish.verma85)
Dheeraj Jhamtani (dheeraj jhamtani)
Marcelo Vani (marcelovani)
Jaseer Kinangattil (jaseerkinangattil)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:23:14.854904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:23:18.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social_auth_entra_id",
"defaultStatus": "unaffected",
"product": "Microsoft Entra ID SSO Login",
"repo": "https://git.drupalcode.org/project/social_auth_entra_id",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ashish Verma (ashish.verma85)"
},
{
"lang": "en",
"type": "finder",
"value": "Dheeraj Jhamtani (dheeraj jhamtani)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcelo Vani (marcelovani)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jaseer Kinangattil (jaseerkinangattil)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-14T17:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.\u003cp\u003eThis issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:02.605Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0948",
"datePublished": "2026-02-04T20:26:02.605Z",
"dateReserved": "2026-01-14T16:52:33.298Z",
"dateUpdated": "2026-02-04T21:23:18.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0947 (GCVE-0-2026-0947)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:25 – Updated: 2026-02-04 21:24
VLAI?
Title
AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AT Internet Piano Analytics |
Affected:
0.0.0 , < 1.0.1
(semver)
Affected: 2.0.0 , < 2.3.1 (semver) |
Credits
Pierre Rudloff (prudloff)
Frank Mably (mably)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:24:05.128353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:24:09.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/pianoanalytics",
"defaultStatus": "unaffected",
"product": "AT Internet Piano Analytics",
"repo": "https://git.drupalcode.org/project/pianoanalytics",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.3.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Frank Mably (mably)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-01-14T17:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:25:50.871Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0947",
"datePublished": "2026-02-04T20:25:50.871Z",
"dateReserved": "2026-01-14T16:52:31.950Z",
"dateUpdated": "2026-02-04T21:24:09.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0946 (GCVE-0-2026-0946)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:25 – Updated: 2026-02-06 20:35
VLAI?
Title
AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AT Internet SmartTag |
Affected:
0.0.0 , < 1.0.1
(semver)
|
Credits
Pierre Rudloff (prudloff)
Frank Mably (mably)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:35:19.832501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:35:38.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/atsmarttag",
"defaultStatus": "unaffected",
"product": "AT Internet SmartTag",
"repo": "https://git.drupalcode.org/project/atsmarttag",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Frank Mably (mably)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-14T17:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:25:39.200Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0946",
"datePublished": "2026-02-04T20:25:39.200Z",
"dateReserved": "2026-01-14T16:52:30.774Z",
"dateUpdated": "2026-02-06T20:35:38.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0945 (GCVE-0-2026-0945)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:25 – Updated: 2026-02-04 20:25
VLAI?
Title
Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
Summary
Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.
Severity ?
No CVSS data available.
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Role Delegation |
Affected:
1.3.0 , < 1.5.0
(semver)
|
Credits
Drew Webber (mcdruid)
Adam Bramley (acbramley)
Dieter Holvoet (dieterholvoet)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/role_delegation",
"defaultStatus": "unaffected",
"product": "Role Delegation",
"repo": "https://git.drupalcode.org/project/role_delegation",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "1.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adam Bramley (acbramley)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dieter Holvoet (dieterholvoet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-14T17:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.\u003cp\u003eThis issue affects Role Delegation: from 1.3.0 before 1.5.0.\u003c/p\u003e"
}
],
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:25:28.874Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0945",
"datePublished": "2026-02-04T20:25:28.874Z",
"dateReserved": "2026-01-14T16:52:29.540Z",
"dateUpdated": "2026-02-04T20:25:28.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0944 (GCVE-0-2026-0944)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:25 – Updated: 2026-02-04 20:40
VLAI?
Title
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
Severity ?
5.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Group invite |
Affected:
0.0.0 , < 2.3.9
(semver)
Affected: 3.0.0 , < 3.0.4 (semver) Affected: 4.0.0 , < 4.0.4 (semver) |
Credits
Kevin Quillen (kevinquillen)
eduardo morales alberti
Kevin Quillen (kevinquillen)
Nikolay Lobachev (lobsterr)
Ricardo Sanz Ante (tunic)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T20:40:24.280905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:40:47.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ginvite",
"defaultStatus": "unaffected",
"product": "Group invite",
"repo": "https://git.drupalcode.org/project/ginvite",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.3.9",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Quillen (kevinquillen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "eduardo morales alberti"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kevin Quillen (kevinquillen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nikolay Lobachev (lobsterr)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ricardo Sanz Ante (tunic)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-14T17:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.\u003cp\u003eThis issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:25:17.113Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0944",
"datePublished": "2026-02-04T20:25:17.113Z",
"dateReserved": "2026-01-14T16:52:28.163Z",
"dateUpdated": "2026-02-04T20:40:47.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14840 (GCVE-0-2025-14840)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:03 – Updated: 2026-01-29 16:30
VLAI?
Title
HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
Severity ?
7.5 (High)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | HTTP Client Manager |
Affected:
0.0.0 , < 9.3.13
(semver)
Affected: 10.0.0 , < 10.0.2 (semver) Affected: 11.0.0 , < 11.0.1 (semver) |
Credits
mxh
Adriano Cori (aronne)
mxh
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T16:29:44.902449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T16:30:13.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/http_client_manager",
"defaultStatus": "unaffected",
"product": "HTTP Client Manager",
"repo": "https://git.drupalcode.org/project/http_client_manager",
"vendor": "Drupal",
"versions": [
{
"lessThan": "9.3.13",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "11.0.1",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mxh"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adriano Cori (aronne)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "mxh"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-12-17T17:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.\u003cp\u003eThis issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:03:21.686Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-126"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-14840",
"datePublished": "2026-01-28T20:03:21.686Z",
"dateReserved": "2025-12-17T17:37:30.402Z",
"dateUpdated": "2026-01-29T16:30:13.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14472 (GCVE-0-2025-14472)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:03 – Updated: 2026-01-29 18:22
VLAI?
Title
Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.
Severity ?
8.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Acquia Content Hub |
Affected:
0.0.0 , < 3.6.4
(semver)
Affected: 3.7.0 , < 3.7.3 (semver) |
Credits
Lee Rowlands (larowlan)
Kirti Garg (kirti_garg)
Narendra Shenvi Desai (n4r3n)
Peter Pajor (pajor)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T18:22:13.065548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:22:18.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/acquia_contenthub",
"defaultStatus": "unaffected",
"product": "Acquia Content Hub",
"repo": "https://git.drupalcode.org/project/acquia_contenthub",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.6.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.7.3",
"status": "affected",
"version": "3.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kirti Garg (kirti_garg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Narendra Shenvi Desai (n4r3n)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Peter Pajor (pajor)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-10T17:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:03:09.029Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-125"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-14472",
"datePublished": "2026-01-28T20:03:09.029Z",
"dateReserved": "2025-12-10T17:52:26.026Z",
"dateUpdated": "2026-01-29T18:22:18.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13986 (GCVE-0-2025-13986)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-02-02 17:59
VLAI?
Title
Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
Severity ?
4.2 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Disable Login Page |
Affected:
0.0.0 , < 1.1.3
(semver)
|
Credits
Pierre Rudloff (prudloff)
Anoop John (anoopjohn)
Jijo Joseph (jijojoseph_zyxware)
Pierre Rudloff (prudloff)
cilefen (cilefen)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T14:42:16.110267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:59:32.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/disable_login",
"defaultStatus": "unaffected",
"product": "Disable Login Page",
"repo": "https://git.drupalcode.org/project/disable_login",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anoop John (anoopjohn)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jijo Joseph (jijojoseph_zyxware)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.\u003cp\u003eThis issue affects Disable Login Page: from 0.0.0 before 1.1.3.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:02:53.919Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-124"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13986",
"datePublished": "2026-01-28T20:02:53.919Z",
"dateReserved": "2025-12-03T17:04:28.074Z",
"dateUpdated": "2026-02-02T17:59:32.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13985 (GCVE-0-2025-13985)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 17:53
VLAI?
Title
Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123
Summary
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Entity Share |
Affected:
0.0.0 , < 3.13.0
(semver)
|
Credits
Jürgen Haas (jurgenhaas)
Florent Torregrosa (grimreaper)
Joachim Noreiko (joachim)
Bram Driesen (bramdriesen)
cilefen (cilefen)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T17:53:33.475809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T17:53:36.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/entity_share",
"defaultStatus": "unaffected",
"product": "Entity Share",
"repo": "https://git.drupalcode.org/project/entity_share",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.13.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Florent Torregrosa (grimreaper)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joachim Noreiko (joachim)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.\u003cp\u003eThis issue affects Entity Share: from 0.0.0 before 3.13.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:02:40.252Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-123"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13985",
"datePublished": "2026-01-28T20:02:40.252Z",
"dateReserved": "2025-12-03T17:04:26.862Z",
"dateUpdated": "2026-01-29T17:53:36.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13984 (GCVE-0-2025-13984)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 18:24
VLAI?
Title
Next.js - Critical - Access bypass - SA-CONTRIB-2025-122
Summary
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
Severity ?
6.1 (Medium)
CWE
- CWE-942 - Permissive Cross-domain Security Policy with Untrusted Domains
Assigner
References
Impacted products
Credits
Mike Decker (pookmish)
Brian Perry (brianperry)
Rob Decker (rrrob)
Bram Driesen (bramdriesen)
Greg Knaddison (greggles)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T18:24:01.824775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:24:28.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/next",
"defaultStatus": "unaffected",
"product": "Next.js",
"repo": "https://git.drupalcode.org/project/next",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.6.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mike Decker (pookmish)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Brian Perry (brianperry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Rob Decker (rrrob)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.\u003c/p\u003e"
}
],
"value": "Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:02:22.486Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-122"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Next.js - Critical - Access bypass - SA-CONTRIB-2025-122",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13984",
"datePublished": "2026-01-28T20:02:22.486Z",
"dateReserved": "2025-12-03T17:04:25.507Z",
"dateUpdated": "2026-01-29T18:24:28.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13983 (GCVE-0-2025-13983)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 17:52
VLAI?
Title
Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Credits
Drew Webber (mcdruid)
Bram Driesen (bramdriesen)
David Galeano (gxleano)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Bram Driesen (bramdriesen)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T17:52:20.904164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T17:52:24.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tagify",
"defaultStatus": "unaffected",
"product": "Tagify",
"repo": "https://git.drupalcode.org/project/tagify",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.44",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "David Galeano (gxleano)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Tagify: from 0.0.0 before 1.2.44.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:02:09.110Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-121"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13983",
"datePublished": "2026-01-28T20:02:09.110Z",
"dateReserved": "2025-12-03T17:04:24.229Z",
"dateUpdated": "2026-01-29T17:52:24.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13982 (GCVE-0-2025-13982)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:01 – Updated: 2026-01-29 18:26
VLAI?
Title
Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.
Severity ?
8.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Login Time Restriction |
Affected:
0.0.0 , < 1.0.3
(semver)
|
Credits
Pierre Rudloff (prudloff)
Kunal Singh (kunal_singh)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T18:25:35.739246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:26:19.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/login_time_restriction",
"defaultStatus": "unaffected",
"product": "Login Time Restriction",
"repo": "https://git.drupalcode.org/project/login_time_restriction",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kunal Singh (kunal_singh)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Login Time Restriction: from 0.0.0 before 1.0.3.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:01:52.670Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-120"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13982",
"datePublished": "2026-01-28T20:01:52.670Z",
"dateReserved": "2025-12-03T17:04:22.525Z",
"dateUpdated": "2026-01-29T18:26:19.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13981 (GCVE-0-2025-13981)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:01 – Updated: 2026-01-29 17:12
VLAI?
Title
AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AI (Artificial Intelligence) |
Affected:
0.0.0 , < 1.0.7
(semver)
Affected: 1.1.0 , < 1.1.7 (semver) Affected: 1.2.0 , < 1.2.4 (semver) |
Credits
Drew Webber (mcdruid)
Marcus Johansson (marcus_johansson)
Bram Driesen (bramdriesen)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T17:12:42.119742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T17:12:45.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ai",
"defaultStatus": "unaffected",
"product": "AI (Artificial Intelligence)",
"repo": "https://git.drupalcode.org/project/ai",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.7",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
},
{
"lessThan": "1.2.4",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Marcus Johansson (marcus_johansson)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:01:32.915Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-119"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13981",
"datePublished": "2026-01-28T20:01:32.915Z",
"dateReserved": "2025-12-03T17:04:21.182Z",
"dateUpdated": "2026-01-29T17:12:45.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13980 (GCVE-0-2025-13980)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:01 – Updated: 2026-01-29 17:11
VLAI?
Title
CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.
Severity ?
5.3 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CKEditor 5 Premium Features |
Affected:
0.0.0 , < 1.2.10
(semver)
Affected: 1.3.0 , < 1.3.6 (semver) Affected: 1.4.0 , < 1.4.3 (semver) Affected: 1.5.0 , < 1.5.1 (semver) Affected: 1.6.0 , < 1.6.4 (semver) |
Credits
Wojciech Kukowski (salmonek)
Wojciech Kukowski (salmonek)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T17:11:20.684032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T17:11:46.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ckeditor5_premium_features",
"defaultStatus": "unaffected",
"product": "CKEditor 5 Premium Features",
"repo": "https://git.drupalcode.org/project/ckeditor5_premium_features",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.10",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.3.6",
"status": "affected",
"version": "1.3.0",
"versionType": "semver"
},
{
"lessThan": "1.4.3",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
},
{
"lessThan": "1.5.1",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
},
{
"lessThan": "1.6.4",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wojciech Kukowski (salmonek)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wojciech Kukowski (salmonek)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.\u003cp\u003eThis issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:01:16.894Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-118"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13980",
"datePublished": "2026-01-28T20:01:16.894Z",
"dateReserved": "2025-12-03T17:04:19.606Z",
"dateUpdated": "2026-01-29T17:11:46.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13979 (GCVE-0-2025-13979)
Vulnerability from cvelistv5 – Published: 2026-01-28 20:00 – Updated: 2026-01-29 17:10
VLAI?
Title
Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117
Summary
Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.
Severity ?
5.4 (Medium)
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
Credits
Pierre Rudloff (prudloff)
cb_govcms
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T17:10:00.857726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T17:10:16.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/minisite",
"defaultStatus": "unaffected",
"product": "Mini site",
"repo": "https://git.drupalcode.org/project/minisite",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cb_govcms"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-12-03T18:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.\u003cp\u003eThis issue affects Mini site: from 0.0.0 before 3.0.2.\u003c/p\u003e"
}
],
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T20:00:38.256Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-117"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13979",
"datePublished": "2026-01-28T20:00:38.256Z",
"dateReserved": "2025-12-03T17:04:18.274Z",
"dateUpdated": "2026-01-29T17:10:16.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0749 (GCVE-0-2026-0749)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:56 – Updated: 2026-01-28 19:12
VLAI?
Title
Cross-Site Scripting Vulnerability in Drupal Form Builder Module
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Yonatan Offek (poiu)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:12:13.895295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:12:36.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/form_builder",
"defaultStatus": "unaffected",
"packageName": "Form Builder",
"product": "Drupal",
"repo": "https://git.drupalcode.org/project/form_builder",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.22",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yonatan Offek (poiu)"
}
],
"datePublic": "2025-05-14T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal: from 7.X-1.0 through 7.X-1.22.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T18:56:05.806Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0749"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting Vulnerability in Drupal Form Builder Module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0749",
"datePublished": "2026-01-28T18:56:05.806Z",
"dateReserved": "2026-01-08T19:51:10.879Z",
"dateUpdated": "2026-01-28T19:12:36.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0750 (GCVE-0-2026-0750)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:53 – Updated: 2026-01-28 19:25
VLAI?
Title
Payment bypass in Commerce Paybox
Summary
Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.
Severity ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Commerce Paybox |
Affected:
7-x-1.0 , ≤ 7.x-1.5
(custom)
|
Credits
Dave Hernandez (defr)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:25:03.938086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:25:29.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/commerce_paybox",
"defaultStatus": "unaffected",
"packageName": "Commerce Paybox",
"platforms": [
"Drupal 7.x"
],
"product": "Drupal Commerce Paybox",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.5",
"status": "affected",
"version": "7-x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave Hernandez (defr)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.\u003cp\u003eThis issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.\u003c/p\u003e"
}
],
"value": "Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T18:53:42.343Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0750"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Payment bypass in Commerce Paybox",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0750",
"datePublished": "2026-01-28T18:53:42.343Z",
"dateReserved": "2026-01-08T19:51:40.852Z",
"dateUpdated": "2026-01-28T19:25:29.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14557 (GCVE-0-2025-14557)
Vulnerability from cvelistv5 – Published: 2026-01-14 18:40 – Updated: 2026-01-14 19:14
VLAI?
Title
XSS in Drupal 7 Facebook Pixel Module
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Facebook Pixel |
Affected:
7.x-1.0 , ≤ 7.x-1.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:14:09.207208Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:14:30.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/facebook_pixel",
"defaultStatus": "unaffected",
"packageName": "facebook_pixel",
"product": "Facebook Pixel",
"repo": "https://git.drupalcode.org/project/facebook_pixel",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.1",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.\u003cp\u003eThis issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:40:34.898Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-14557"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/facebook-pixel-less-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Drupal 7 Facebook Pixel Module",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-14557",
"datePublished": "2026-01-14T18:40:34.898Z",
"dateReserved": "2025-12-12T04:58:03.452Z",
"dateUpdated": "2026-01-14T19:14:30.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14556 (GCVE-0-2025-14556)
Vulnerability from cvelistv5 – Published: 2026-01-14 18:38 – Updated: 2026-01-14 19:16
VLAI?
Title
XSS in Drupal 7 Flag Module
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:15:55.210499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:16:19.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/flag",
"defaultStatus": "unaffected",
"packageName": "flag",
"product": "Flag",
"repo": "https://git.drupalcode.org/project/flag",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-3.9",
"status": "affected",
"version": "7.x-3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Flag: from 7.X-3.0 through 7.X-3.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:38:21.047Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-14556"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/flag-moderately-critical-cross-site-scripting-backdrop-sa-contrib-2025-011"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Drupal 7 Flag Module",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-14556",
"datePublished": "2026-01-14T18:38:21.047Z",
"dateReserved": "2025-12-12T04:55:26.290Z",
"dateUpdated": "2026-01-14T19:16:19.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12848 (GCVE-0-2025-12848)
Vulnerability from cvelistv5 – Published: 2025-11-26 01:28 – Updated: 2025-11-26 14:19
VLAI?
Title
XSS vulnerability when rendering filename in Webform Multiform
Summary
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious
filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts
in the context of the victim's browser.
The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T14:18:51.075955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T14:19:01.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/webform_multifile",
"defaultStatus": "unaffected",
"packageName": "Webform Multifile Upload",
"product": "Drupal",
"repo": "https://git.drupalcode.org/project/webform_multifile",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "7.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\u003cbr\u003efilename containing JavaScript code (e.g., \"\u0026lt;img src=1 onerror=alert(document.domain)\u0026gt;\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\u003cbr\u003ein the context of the victim\u0027s browser.\u003cbr\u003e \u003cbr\u003eThe issue is present in a third-party library and has been addressed in a patch available at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/fyneworks/multifile/pull/44\"\u003ehttps://github.com/fyneworks/multifile/pull/44\u003c/a\u003e. Users are advised to apply the provided patch or update to a fixed version of the module.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\nfilename containing JavaScript code (e.g., \"\u003cimg src=1 onerror=alert(document.domain)\u003e\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\nin the context of the victim\u0027s browser.\n \nThe issue is present in a third-party library and has been addressed in a patch available at\u00a0 https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T01:28:33.628Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/node/3105204"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability when rendering filename in Webform Multiform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12848",
"datePublished": "2025-11-26T01:28:33.628Z",
"dateReserved": "2025-11-06T21:09:12.402Z",
"dateUpdated": "2025-11-26T14:19:01.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12761 (GCVE-0-2025-12761)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:56 – Updated: 2025-11-18 20:33
VLAI?
Title
Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Simple multi step form |
Affected:
0.0.0 , < 2.0.0
(semver)
|
Credits
Ide Braakman (idebr)
Diosbel MezquÃa (dmezquia)
Ide Braakman (idebr)
Vitaliy Bogomazyuk (vitaliyb98)
Greg Knaddison (greggles)
Ivo Van Geertruyen (mr.baileys)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:33:42.542969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:33:44.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/simple_multistep",
"defaultStatus": "unaffected",
"product": "Simple multi step form",
"repo": "https://git.drupalcode.org/project/simple_multistep",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ide Braakman (idebr)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Diosbel Mezqu\u00c3\u00ada (dmezquia)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ide Braakman (idebr)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Vitaliy Bogomazyuk (vitaliyb98)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-05T18:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Simple multi step form: from 0.0.0 before 2.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:56:14.234Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-116"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12761",
"datePublished": "2025-11-18T16:56:14.234Z",
"dateReserved": "2025-11-05T17:03:17.026Z",
"dateUpdated": "2025-11-18T20:33:44.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12760 (GCVE-0-2025-12760)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:30
VLAI?
Title
Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6.
Severity ?
5.4 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Credits
Pierre Rudloff (prudloff)
abdulaziz zaid
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:29:53.665381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:30:29.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/email_tfa",
"defaultStatus": "unaffected",
"product": "Email TFA",
"repo": "https://git.drupalcode.org/project/email_tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.6",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "abdulaziz zaid"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-11-05T18:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.\u003cp\u003eThis issue affects Email TFA: from 0.0.0 before 2.0.6.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:59.017Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-115"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12760",
"datePublished": "2025-11-18T16:55:59.017Z",
"dateReserved": "2025-11-05T17:03:15.328Z",
"dateUpdated": "2025-11-18T20:30:29.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13083 (GCVE-0-2025-13083)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2026-01-16 20:14
VLAI?
Title
Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
Summary
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
Severity ?
CWE
- CWE-525 - Use of Web Browser Cache Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) Affected: 7.0 , ≤ 7.103 (semver) |
Credits
Damien McKenna (damienmckenna)
tame4tex
Benji Fisher (benjifisher)
catch (catch)
Neil Drumm (drumm)
Lee Rowlands (larowlan)
Mingsong (mingsong)
Mohit Aghera (mohit_aghera)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:31:33.666610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:31:36.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.103",
"status": "affected",
"version": "7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "finder",
"value": "tame4tex"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mohit Aghera (mohit_aghera)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.\u003c/p\u003e"
}
],
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Use of Web Browser Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T20:14:00.799Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13083",
"datePublished": "2025-11-18T16:55:37.269Z",
"dateReserved": "2025-11-12T18:26:39.713Z",
"dateUpdated": "2026-01-16T20:14:00.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13082 (GCVE-0-2025-13082)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:32
VLAI?
Title
Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
Summary
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
4.3 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Kevin Quillen (kevinquillen)
Benji Fisher (benjifisher)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mingsong (mingsong)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:32:40.692859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:32:44.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Quillen (kevinquillen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:16.062Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Defacement - SA-CORE-2025-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13082",
"datePublished": "2025-11-18T16:55:16.062Z",
"dateReserved": "2025-11-12T18:26:38.404Z",
"dateUpdated": "2025-11-18T20:32:44.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13081 (GCVE-0-2025-13081)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:54 – Updated: 2025-11-19 04:55
VLAI?
Title
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.9 (Medium)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
anzuukino
Anna Kalata (akalata)
catch (catch)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:19.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anzuukino"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T18:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:56.214Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13081",
"datePublished": "2025-11-18T16:54:56.214Z",
"dateReserved": "2025-11-12T18:26:37.184Z",
"dateUpdated": "2025-11-19T04:55:19.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13080 (GCVE-0-2025-13080)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:54 – Updated: 2025-11-18 20:35
VLAI?
Title
Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Dragos Dumitrescu (dragos-dumi)
yasser ALLAM (inzo_)
Nils Destoop (nils.destoop)
Sven Decabooter (svendecabooter)
zhero
Alex Pott (alexpott)
catch (catch)
cilefen (cilefen)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Nils Destoop (nils.destoop)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:35:13.962818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:35:16.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dragos Dumitrescu (dragos-dumi)"
},
{
"lang": "en",
"type": "finder",
"value": "yasser ALLAM (inzo_)"
},
{
"lang": "en",
"type": "finder",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "finder",
"value": "Sven Decabooter (svendecabooter)"
},
{
"lang": "en",
"type": "finder",
"value": "zhero"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Pott (alexpott)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen Lampton (jenlampton)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-11-12T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:32.042Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13080",
"datePublished": "2025-11-18T16:54:32.042Z",
"dateReserved": "2025-11-12T18:26:35.916Z",
"dateUpdated": "2025-11-18T20:35:16.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12466 (GCVE-0-2025-12466)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:38
VLAI?
Title
Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
Severity ?
7.5 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Simple OAuth (OAuth2) & OpenID Connect |
Affected:
6.0.0 , < 6.0.7
(semver)
|
Credits
coffeemakr
Bojan Bogdanovic (bojan_dev)
coffeemakr
Juraj Nemec (poker10)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:37:41.111051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:38:59.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/simple_oauth",
"defaultStatus": "unaffected",
"product": "Simple OAuth (OAuth2) \u0026 OpenID Connect",
"repo": "https://git.drupalcode.org/project/simple_oauth",
"vendor": "Drupal",
"versions": [
{
"lessThan": "6.0.7",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "coffeemakr"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bojan Bogdanovic (bojan_dev)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "coffeemakr"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-10-29T16:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) \u0026amp; OpenID Connect allows Authentication Bypass.\u003cp\u003eThis issue affects Simple OAuth (OAuth2) \u0026amp; OpenID Connect: from 6.0.0 before 6.0.7.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) \u0026 OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) \u0026 OpenID Connect: from 6.0.0 before 6.0.7."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:51.343Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-114"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Simple OAuth (OAuth2) \u0026 OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12466",
"datePublished": "2025-10-29T23:14:51.343Z",
"dateReserved": "2025-10-29T14:43:07.597Z",
"dateUpdated": "2025-10-30T14:38:59.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12083 (GCVE-0-2025-12083)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:40
VLAI?
Title
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Adam Bramley (acbramley)
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:39:43.077712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:40:11.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Bramley (acbramley)"
},
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:33.900Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-113"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12083",
"datePublished": "2025-10-29T23:14:33.900Z",
"dateReserved": "2025-10-22T16:06:23.591Z",
"dateUpdated": "2025-10-30T14:40:11.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}