Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
642 vulnerabilities by drupal
CVE-2026-0748 (GCVE-0-2026-0748)
Vulnerability from cvelistv5 – Published: 2026-03-26 21:17 – Updated: 2026-03-26 21:17
VLAI?
Title
Access bypass in Drupal 7 i18n_node translation UI
Summary
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.
Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Internationalization (i18n) - i18n_node submodule |
Affected:
7.x-1.0 , ≤ 7.x-1.35
(custom)
|
Credits
Tatár Balázs János (tatarbj)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/i18n",
"defaultStatus": "unaffected",
"packageName": "i18n_node",
"product": "Internationalization (i18n) - i18n_node submodule",
"repo": "https://git.drupalcode.org/project/i18n",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.35",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tat\u00e1r Bal\u00e1zs J\u00e1nos (tatarbj)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \u003cbr\u003e\u003cbr\u003eExploit affects versions 7.x-1.0 up to and including 7.x-1.35."
}
],
"value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T21:17:37.769Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/node/86"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Access bypass in Drupal 7 i18n_node translation UI",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0748",
"datePublished": "2026-03-26T21:17:37.769Z",
"dateReserved": "2026-01-08T19:50:35.556Z",
"dateUpdated": "2026-03-26T21:17:37.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1556 (GCVE-0-2026-1556)
Vulnerability from cvelistv5 – Published: 2026-03-26 21:14 – Updated: 2026-03-26 21:14
VLAI?
Title
Information disclosure via file URI overwrite in File (Field) Paths
Summary
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal File (Field) Paths |
Affected:
7.x-1.0 , < 7.x-1.3
(custom)
|
Credits
Michael Hess (mlhess)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/filefield_paths",
"defaultStatus": "unaffected",
"packageName": "File (Field) Paths",
"platforms": [
"Drupal 7.x"
],
"product": "Drupal File (Field) Paths",
"repo": "http://git.drupalcode.org/project/filefield_paths",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.x-1.3",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Hess (mlhess)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files."
}
],
"value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files."
}
],
"impacts": [
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T21:14:20.549Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-1556"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information disclosure via file URI overwrite in File (Field) Paths",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1556",
"datePublished": "2026-03-26T21:14:20.549Z",
"dateReserved": "2026-01-28T17:20:34.800Z",
"dateUpdated": "2026-03-26T21:14:20.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4393 (GCVE-0-2026-4393)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:10 – Updated: 2026-03-26 20:10
VLAI?
Title
Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Automated Logout |
Affected:
0.0.0 , < 1.7.0
(semver)
Affected: 2.0.0 , < 2.0.2 (semver) |
Date Public ?
2026-03-18 16:10
Credits
Pierre Rudloff (prudloff)
Ajit Shinde (ajits)
Jakob P (japerry)
Gareth Alexander (the_g_bomb)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/autologout",
"defaultStatus": "unaffected",
"product": "Automated Logout",
"repo": "https://git.drupalcode.org/project/autologout",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.0.2",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ajit Shinde (ajits)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakob P (japerry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Gareth Alexander (the_g_bomb)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-03-18T16:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:10:40.090Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-030"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-4393",
"datePublished": "2026-03-26T20:10:40.090Z",
"dateReserved": "2026-03-18T15:21:32.561Z",
"dateUpdated": "2026-03-26T20:10:40.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4933 (GCVE-0-2026-4933)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:10 – Updated: 2026-03-26 20:10
VLAI?
Title
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
Summary
Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Unpublished Node Permissions |
Affected:
0.0.0 , < 1.7.0
(semver)
|
Date Public ?
2026-03-11 16:35
Credits
Andre Groendijk (groendijk)
Fabien Gutknecht (fabsgugu)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/unpublished_node_permissions",
"defaultStatus": "unaffected",
"product": "Unpublished Node Permissions",
"repo": "https://git.drupalcode.org/project/unpublished_node_permissions",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andre Groendijk (groendijk)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabien Gutknecht (fabsgugu)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-03-11T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.\u003cp\u003eThis issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:10:26.886Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-029"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-4933",
"datePublished": "2026-03-26T20:10:26.886Z",
"dateReserved": "2026-03-26T19:50:20.404Z",
"dateUpdated": "2026-03-26T20:10:26.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3573 (GCVE-0-2026-3573)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:10 – Updated: 2026-03-26 20:10
VLAI?
Title
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
Summary
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AI (Artificial Intelligence) |
Affected:
0.0.0 , < 1.1.11
(semver)
Affected: 1.2.0 , < 1.2.12 (semver) |
Date Public ?
2026-03-11 16:33
Credits
Marcus Johansson (marcus_johansson)
Artem Dmitriiev (a.dmitriiev)
Abhisek Mazumdar (abhisekmazumdar)
Dave Long (longwave)
Marcus Johansson (marcus_johansson)
Valery Lourie (valthebald)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Jess (xjm)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ai",
"defaultStatus": "unaffected",
"product": "AI (Artificial Intelligence)",
"repo": "https://git.drupalcode.org/project/ai",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.11",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.2.12",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcus Johansson (marcus_johansson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Artem Dmitriiev (a.dmitriiev)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Abhisek Mazumdar (abhisekmazumdar)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Marcus Johansson (marcus_johansson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Valery Lourie (valthebald)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-03-11T16:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.\u003cp\u003eThis issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12."
}
],
"impacts": [
{
"capecId": "CAPEC-240",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-240 Resource Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:10:13.350Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-028"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3573",
"datePublished": "2026-03-26T20:10:13.350Z",
"dateReserved": "2026-03-04T21:17:43.868Z",
"dateUpdated": "2026-03-26T20:10:13.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3532 (GCVE-0-2026-3532)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:04 – Updated: 2026-03-26 20:04
VLAI?
Title
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Summary
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Severity ?
No CVSS data available.
CWE
- CWE-178 - Improper Handling of Case Sensitivity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | OpenID Connect / OAuth client |
Affected:
0.0.0 , < 1.5.0
(semver)
|
Date Public ?
2026-03-04 18:02
Credits
Eric Smith (ericgsmith)
Philip Frilling (pfrilling)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/openid_connect",
"defaultStatus": "unaffected",
"product": "OpenID Connect / OAuth client",
"repo": "https://git.drupalcode.org/project/openid_connect",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eric Smith (ericgsmith)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Philip Frilling (pfrilling)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T18:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.\u003cp\u003eThis issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.\u003c/p\u003e"
}
],
"value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178 Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:04:03.160Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-027"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3532",
"datePublished": "2026-03-26T20:04:03.160Z",
"dateReserved": "2026-03-04T16:42:01.310Z",
"dateUpdated": "2026-03-26T20:04:03.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3531 (GCVE-0-2026-3531)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:03 – Updated: 2026-03-26 20:03
VLAI?
Title
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Severity ?
No CVSS data available.
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | OpenID Connect / OAuth client |
Affected:
0.0.0 , < 1.5.0
(semver)
|
Date Public ?
2026-03-04 18:02
Credits
Kimberley Massey (kimberleycgm)
Kimberley Massey (kimberleycgm)
Philip Frilling (pfrilling)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/openid_connect",
"defaultStatus": "unaffected",
"product": "OpenID Connect / OAuth client",
"repo": "https://git.drupalcode.org/project/openid_connect",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kimberley Massey (kimberleycgm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kimberley Massey (kimberleycgm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Philip Frilling (pfrilling)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T18:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.\u003cp\u003eThis issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:03:48.873Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-026"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3531",
"datePublished": "2026-03-26T20:03:48.873Z",
"dateReserved": "2026-03-04T16:42:00.011Z",
"dateUpdated": "2026-03-26T20:03:48.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3530 (GCVE-0-2026-3530)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:03 – Updated: 2026-03-26 20:03
VLAI?
Title
OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Summary
Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | OpenID Connect / OAuth client |
Affected:
0.0.0 , < 1.5.0
(semver)
|
Date Public ?
2026-03-04 18:00
Credits
Drew Webber (mcdruid)
Drew Webber (mcdruid)
Philip Frilling (pfrilling)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/openid_connect",
"defaultStatus": "unaffected",
"product": "OpenID Connect / OAuth client",
"repo": "https://git.drupalcode.org/project/openid_connect",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Philip Frilling (pfrilling)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.\u003cp\u003eThis issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:03:39.756Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3530",
"datePublished": "2026-03-26T20:03:39.756Z",
"dateReserved": "2026-03-04T16:41:58.794Z",
"dateUpdated": "2026-03-26T20:03:39.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3529 (GCVE-0-2026-3529)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:03 – Updated: 2026-03-26 20:03
VLAI?
Title
Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Google Analytics GA4 |
Affected:
0.0.0 , < 1.1.14
(semver)
|
Date Public ?
2026-03-04 17:59
Credits
Pierre Rudloff (prudloff)
Sujan Shrestha (sujan shrestha)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ga4_google_analytics",
"defaultStatus": "unaffected",
"product": "Google Analytics GA4",
"repo": "https://git.drupalcode.org/project/ga4_google_analytics",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.14",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sujan Shrestha (sujan shrestha)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T17:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:03:28.917Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3529",
"datePublished": "2026-03-26T20:03:28.917Z",
"dateReserved": "2026-03-04T16:41:57.792Z",
"dateUpdated": "2026-03-26T20:03:28.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3528 (GCVE-0-2026-3528)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:03 – Updated: 2026-03-26 20:03
VLAI?
Title
Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Calculation Fields |
Affected:
0.0.0 , < 1.0.4
(semver)
|
Date Public ?
2026-03-04 17:58
Credits
Drew Webber (mcdruid)
Joao Paulo Constantino (joaopauloc.dev)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/calculation_fields",
"defaultStatus": "unaffected",
"product": "Calculation Fields",
"repo": "https://git.drupalcode.org/project/calculation_fields",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joao Paulo Constantino (joaopauloc.dev)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T17:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Calculation Fields: from 0.0.0 before 1.0.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:03:20.863Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3528",
"datePublished": "2026-03-26T20:03:20.863Z",
"dateReserved": "2026-03-04T16:41:56.653Z",
"dateUpdated": "2026-03-26T20:03:20.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3527 (GCVE-0-2026-3527)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:03 – Updated: 2026-03-26 20:03
VLAI?
Title
AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Summary
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
Severity ?
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AJAX Dashboard |
Affected:
0.0.0 , < 3.1.0
(semver)
|
Date Public ?
2026-03-04 17:57
Credits
Juraj Nemec (poker10)
Michael Nolan (laboratory.mike)
Bram Driesen (bramdriesen)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ajax_dashboard",
"defaultStatus": "unaffected",
"product": "AJAX Dashboard",
"repo": "https://git.drupalcode.org/project/ajax_dashboard",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Nolan (laboratory.mike)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T17:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.\u003c/p\u003e"
}
],
"value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:03:05.935Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-022"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3527",
"datePublished": "2026-03-26T20:03:05.935Z",
"dateReserved": "2026-03-04T16:41:55.560Z",
"dateUpdated": "2026-03-26T20:03:05.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3526 (GCVE-0-2026-3526)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:02 – Updated: 2026-03-26 20:02
VLAI?
Title
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Summary
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | File Access Fix (deprecated) |
Affected:
0.0.0 , < 1.2.0
(semver)
|
Date Public ?
2026-03-04 17:56
Credits
Pierre Rudloff (prudloff)
Merlin Axel Rutz (geek-merlin)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/file_access_fix",
"defaultStatus": "unaffected",
"product": "File Access Fix (deprecated)",
"repo": "https://git.drupalcode.org/project/file_access_fix",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Merlin Axel Rutz (geek-merlin)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T17:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.\u003cp\u003eThis issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:02:55.103Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-021"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3526",
"datePublished": "2026-03-26T20:02:55.103Z",
"dateReserved": "2026-03-04T16:41:54.347Z",
"dateUpdated": "2026-03-26T20:02:55.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3525 (GCVE-0-2026-3525)
Vulnerability from cvelistv5 – Published: 2026-03-26 20:02 – Updated: 2026-03-26 20:02
VLAI?
Title
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
Summary
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | File Access Fix (deprecated) |
Affected:
0.0.0 , < 1.2.0
(semver)
|
Date Public ?
2026-03-04 17:54
Credits
Pierre Rudloff (prudloff)
Merlin Axel Rutz (geek-merlin)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/file_access_fix",
"defaultStatus": "unaffected",
"product": "File Access Fix (deprecated)",
"repo": "https://git.drupalcode.org/project/file_access_fix",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Merlin Axel Rutz (geek-merlin)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-03-04T17:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.\u003cp\u003eThis issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T20:02:25.154Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-020"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3525",
"datePublished": "2026-03-26T20:02:25.154Z",
"dateReserved": "2026-03-04T16:41:52.841Z",
"dateUpdated": "2026-03-26T20:02:25.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3218 (GCVE-0-2026-3218)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:24 – Updated: 2026-03-26 14:42
VLAI?
Title
Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Responsive Favicons |
Affected:
0.0.0 , < 2.0.2
(semver)
|
Date Public ?
2026-02-25 18:51
Credits
Simon Bäse (simonbaese)
Frank Mably (mably)
Sean Hamlin (wiifm)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:58:52.195330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:42:31.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/responsive_favicons",
"defaultStatus": "unaffected",
"product": "Responsive Favicons",
"repo": "https://git.drupalcode.org/project/responsive_favicons",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Simon B\u00c3\u00a4se (simonbaese)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Frank Mably (mably)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sean Hamlin (wiifm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:51:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Responsive Favicons: from 0.0.0 before 2.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:24:55.196Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-019"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3218",
"datePublished": "2026-03-25T15:24:55.196Z",
"dateReserved": "2026-02-25T17:19:35.631Z",
"dateUpdated": "2026-03-26T14:42:31.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3217 (GCVE-0-2026-3217)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:24 – Updated: 2026-03-25 19:59
VLAI?
Title
SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | SAML SSO - Service Provider |
Affected:
0.0.0 , < 3.1.3
(semver)
|
Date Public ?
2026-02-25 18:51
Credits
Drew Webber (mcdruid)
Sudhanshu Dhage (sudhanshu0542)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:59:29.225129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:59:46.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_saml",
"defaultStatus": "unaffected",
"product": "SAML SSO - Service Provider",
"repo": "https://git.drupalcode.org/project/miniorange_saml",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:51:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:24:30.977Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-018"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3217",
"datePublished": "2026-03-25T15:24:30.977Z",
"dateReserved": "2026-02-25T16:59:33.466Z",
"dateUpdated": "2026-03-25T19:59:46.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3216 (GCVE-0-2026-3216)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:24 – Updated: 2026-03-26 14:41
VLAI?
Title
Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017
Summary
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.1.1
(semver)
|
Date Public ?
2026-02-25 18:51
Credits
Drew Webber (mcdruid)
Bálint Kléri (balintbrews)
Ignacio Sánchez Holgueras (isholgueras)
Drew Webber (mcdruid)
Narendra Singh Rathore (narendrar)
Christian López EspÃnola (penyaskito)
Tim Plunkett (tim.plunkett)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:13:57.967836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:41:26.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"defaultStatus": "unaffected",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ignacio S\u00c3\u00a1nchez Holgueras (isholgueras)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Narendra Singh Rathore (narendrar)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tim Plunkett (tim.plunkett)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:51:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.\u003cp\u003eThis issue affects Drupal Canvas: from 0.0.0 before 1.1.1.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:24:17.937Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-017"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3216",
"datePublished": "2026-03-25T15:24:17.937Z",
"dateReserved": "2026-02-25T16:59:32.261Z",
"dateUpdated": "2026-03-26T14:41:26.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3215 (GCVE-0-2026-3215)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:24 – Updated: 2026-03-26 14:40
VLAI?
Title
Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Date Public ?
2026-02-25 18:49
Credits
Drew Webber (mcdruid)
Joe Corall (joecorall)
Rosie Le Faive (rosiel)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:59:59.165020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:40:02.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/islandora",
"defaultStatus": "unaffected",
"product": "Islandora",
"repo": "https://git.drupalcode.org/project/islandora",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.17.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joe Corall (joecorall)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Rosie Le Faive (rosiel)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Islandora: from 0.0.0 before 2.17.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:24:03.936Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-016"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3215",
"datePublished": "2026-03-25T15:24:03.936Z",
"dateReserved": "2026-02-25T16:59:30.656Z",
"dateUpdated": "2026-03-26T14:40:02.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3214 (GCVE-0-2026-3214)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:23 – Updated: 2026-03-26 13:44
VLAI?
Title
CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
Severity ?
6.5 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
Date Public ?
2026-02-25 18:47
Credits
Andrew Wang (andrew.wang)
Andrew Belcher (andrewbelcher)
Chris Dudley (dudleyc)
M Parker (mparker17)
tamasd
Tim Wood (timwood)
Denis K**** (dench0)
Joshua Sedler (grevil)
Jakob P (japerry)
Adam Nagy (joevagyok)
cilefen (cilefen)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Michael Hess (mlhess)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T13:44:20.728731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T13:44:25.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/captcha",
"defaultStatus": "unaffected",
"product": "CAPTCHA",
"repo": "https://git.drupalcode.org/project/captcha",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.0.10",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrew Wang (andrew.wang)"
},
{
"lang": "en",
"type": "finder",
"value": "Andrew Belcher (andrewbelcher)"
},
{
"lang": "en",
"type": "finder",
"value": "Chris Dudley (dudleyc)"
},
{
"lang": "en",
"type": "finder",
"value": "M Parker (mparker17)"
},
{
"lang": "en",
"type": "finder",
"value": "tamasd"
},
{
"lang": "en",
"type": "finder",
"value": "Tim Wood (timwood)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Denis K**** (dench0)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joshua Sedler (grevil)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakob P (japerry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adam Nagy (joevagyok)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Michael Hess (mlhess)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.\u003cp\u003eThis issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:23:43.968Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3214",
"datePublished": "2026-03-25T15:23:43.968Z",
"dateReserved": "2026-02-25T16:59:29.386Z",
"dateUpdated": "2026-03-26T13:44:25.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3213 (GCVE-0-2026-3213)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:22 – Updated: 2026-03-26 14:47
VLAI?
Title
Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.
Severity ?
4.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Anti-Spam by CleanTalk |
Affected:
0.0.0 , < 9.7.0
(semver)
|
Date Public ?
2026-02-25 18:46
Credits
Drew Webber (mcdruid)
glomberg
Drew Webber (mcdruid)
sergefcleantalk
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:00:32.267862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:47:06.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/cleantalk",
"defaultStatus": "unaffected",
"product": "Anti-Spam by CleanTalk",
"repo": "https://git.drupalcode.org/project/cleantalk",
"vendor": "Drupal",
"versions": [
{
"lessThan": "9.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "glomberg"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "sergefcleantalk"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:22:26.583Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-014"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3213",
"datePublished": "2026-03-25T15:22:26.583Z",
"dateReserved": "2026-02-25T16:59:28.345Z",
"dateUpdated": "2026-03-26T14:47:06.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3212 (GCVE-0-2026-3212)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:22 – Updated: 2026-03-26 14:38
VLAI?
Title
Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Date Public ?
2026-02-25 18:45
Credits
David López (akalam)
Mingsong (mingsong)
David López (akalam)
David Galeano (gxleano)
Mingsong (mingsong)
Damien McKenna (damienmckenna)
Dan Smith (galooph)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:01:00.711708Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:38:54.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tagify",
"defaultStatus": "unaffected",
"product": "Tagify",
"repo": "https://git.drupalcode.org/project/tagify",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.49",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David L\u00c3\u00b3pez (akalam)"
},
{
"lang": "en",
"type": "finder",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "David L\u00c3\u00b3pez (akalam)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "David Galeano (gxleano)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dan Smith (galooph)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Tagify: from 0.0.0 before 1.2.49.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:22:11.601Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-013"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3212",
"datePublished": "2026-03-25T15:22:11.601Z",
"dateReserved": "2026-02-25T16:59:27.087Z",
"dateUpdated": "2026-03-26T14:38:54.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3211 (GCVE-0-2026-3211)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:21 – Updated: 2026-03-26 14:36
VLAI?
Title
Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Theme Negotiation by Rules |
Affected:
0.0.0 , < 1.2.1
(semver)
|
Date Public ?
2026-02-25 18:44
Credits
Juraj Nemec (poker10)
Zoltan Attila Horvath (huzooka)
Juraj Nemec (poker10)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:01:50.080840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:36:19.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/theme_rule",
"defaultStatus": "unaffected",
"product": "Theme Negotiation by Rules",
"repo": "https://git.drupalcode.org/project/theme_rule",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Zoltan Attila Horvath (huzooka)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:21:53.456Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-012"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3211",
"datePublished": "2026-03-25T15:21:53.456Z",
"dateReserved": "2026-02-25T16:59:25.803Z",
"dateUpdated": "2026-03-26T14:36:19.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3210 (GCVE-0-2026-3210)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:21 – Updated: 2026-03-26 14:34
VLAI?
Title
Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
Summary
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Material Icons |
Affected:
0.0.0 , < 2.0.4
(semver)
|
Date Public ?
2026-02-25 18:43
Credits
Jen M (jannakha)
Bryan Sharpe (b_sharpe)
Jen M (jannakha)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:02:52.139144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:34:55.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/material_icons",
"defaultStatus": "unaffected",
"product": "Material Icons",
"repo": "https://git.drupalcode.org/project/material_icons",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jen M (jannakha)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bryan Sharpe (b_sharpe)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen M (jannakha)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-02-25T18:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.\u003cp\u003eThis issue affects Material Icons: from 0.0.0 before 2.0.4.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:21:43.470Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-011"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-3210",
"datePublished": "2026-03-25T15:21:43.470Z",
"dateReserved": "2026-02-25T16:59:24.447Z",
"dateUpdated": "2026-03-26T14:34:55.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2349 (GCVE-0-2026-2349)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:21 – Updated: 2026-03-25 20:03
VLAI?
Title
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
Date Public ?
2026-02-11 16:54
Credits
Drew Webber (mcdruid)
Jean Valverde (mogtofu33)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:03:26.630487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T20:03:40.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ui_icons",
"defaultStatus": "unaffected",
"product": "UI Icons",
"repo": "https://git.drupalcode.org/project/ui_icons",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jean Valverde (mogtofu33)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-02-11T16:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:21:28.488Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-010"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-2349",
"datePublished": "2026-03-25T15:21:28.488Z",
"dateReserved": "2026-02-11T15:48:45.648Z",
"dateUpdated": "2026-03-25T20:03:40.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2348 (GCVE-0-2026-2348)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:20 – Updated: 2026-03-26 14:32
VLAI?
Title
Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Quick Edit |
Affected:
0.0.0 , < 1.0.5
(semver)
Affected: 2.0.0 , < 2.0.1 (semver) |
Date Public ?
2026-02-11 16:53
Credits
Drew Webber (mcdruid)
Derek Wright (dww)
Vladimir Roudakov (vladimiraus)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:03:51.458683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:32:07.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/quickedit",
"defaultStatus": "unaffected",
"product": "Quick Edit",
"repo": "https://git.drupalcode.org/project/quickedit",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Derek Wright (dww)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Vladimir Roudakov (vladimiraus)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-02-11T16:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:20:53.201Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-2348",
"datePublished": "2026-03-25T15:20:53.201Z",
"dateReserved": "2026-02-11T15:48:44.422Z",
"dateUpdated": "2026-03-26T14:32:07.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1917 (GCVE-0-2026-1917)
Vulnerability from cvelistv5 – Published: 2026-03-25 15:20 – Updated: 2026-03-26 14:11
VLAI?
Title
Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.
Severity ?
4.3 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Login Disable |
Affected:
0.0.0 , < 2.1.3
(semver)
|
Date Public ?
2026-02-04 17:23
Credits
Pierre Rudloff (prudloff)
Boris Doesborg (batigolix)
Pierre Rudloff (prudloff)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1917",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T13:38:48.497391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:11:44.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/login_disable",
"defaultStatus": "unaffected",
"product": "Login Disable",
"repo": "https://git.drupalcode.org/project/login_disable",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Boris Doesborg (batigolix)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-02-04T17:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.\u003cp\u003eThis issue affects Login Disable: from 0.0.0 before 2.1.3.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T15:20:20.274Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1917",
"datePublished": "2026-03-25T15:20:20.274Z",
"dateReserved": "2026-02-04T16:14:23.990Z",
"dateUpdated": "2026-03-26T14:11:44.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1554 (GCVE-0-2026-1554)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-05 15:15
VLAI?
Title
Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007
Summary
XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
Severity ?
4.2 (Medium)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Central Authentication System (CAS) Server |
Affected:
0.0.0 , < 2.0.3
(semver)
Affected: 2.1.0 , < 2.1.2 (semver) |
Date Public ?
2026-01-28 17:29
Credits
Gaël Gosset (gaëlg)
Ted Cooper (elc)
Gaël Gosset (gaëlg)
Jaap Jansma (jaapjansma)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:14:46.442485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:15:29.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/cas_server",
"defaultStatus": "unaffected",
"product": "Central Authentication System (CAS) Server",
"repo": "https://git.drupalcode.org/project/cas_server",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.1.2",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ted Cooper (elc)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jaap Jansma (jaapjansma)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-28T17:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.\u003cp\u003eThis issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.\u003c/p\u003e"
}
],
"value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91 XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:38.850Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1554",
"datePublished": "2026-02-04T20:26:38.850Z",
"dateReserved": "2026-01-28T17:01:09.595Z",
"dateUpdated": "2026-02-05T15:15:29.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1553 (GCVE-0-2026-1553)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-04 21:21
VLAI?
Title
Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
Summary
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
Severity ?
4.8 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.0.4
(semver)
|
Date Public ?
2026-01-28 17:28
Credits
jschref
Bálint Kléri (balintbrews)
Matt Glaman (mglaman)
Christian López EspÃnola (penyaskito)
Tim Plunkett (tim.plunkett)
Alex Bronstein (effulgentsia)
Greg Knaddison (greggles)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:21:13.798297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:21:35.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"defaultStatus": "unaffected",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jschref"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Matt Glaman (mglaman)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tim Plunkett (tim.plunkett)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alex Bronstein (effulgentsia)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2026-01-28T17:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal Canvas: from 0.0.0 before 1.0.4.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:22.334Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1553",
"datePublished": "2026-02-04T20:26:22.334Z",
"dateReserved": "2026-01-28T17:01:08.406Z",
"dateUpdated": "2026-02-04T21:21:35.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0948 (GCVE-0-2026-0948)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-04 21:23
VLAI?
Title
Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
Severity ?
6.5 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Microsoft Entra ID SSO Login |
Affected:
0.0.0 , < 1.0.4
(semver)
|
Date Public ?
2026-01-14 17:57
Credits
Ashish Verma (ashish.verma85)
Dheeraj Jhamtani (dheeraj jhamtani)
Marcelo Vani (marcelovani)
Jaseer Kinangattil (jaseerkinangattil)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:23:14.854904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:23:18.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social_auth_entra_id",
"defaultStatus": "unaffected",
"product": "Microsoft Entra ID SSO Login",
"repo": "https://git.drupalcode.org/project/social_auth_entra_id",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ashish Verma (ashish.verma85)"
},
{
"lang": "en",
"type": "finder",
"value": "Dheeraj Jhamtani (dheeraj jhamtani)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcelo Vani (marcelovani)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jaseer Kinangattil (jaseerkinangattil)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-14T17:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.\u003cp\u003eThis issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:02.605Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0948",
"datePublished": "2026-02-04T20:26:02.605Z",
"dateReserved": "2026-01-14T16:52:33.298Z",
"dateUpdated": "2026-02-04T21:23:18.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0947 (GCVE-0-2026-0947)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:25 – Updated: 2026-02-04 21:24
VLAI?
Title
AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AT Internet Piano Analytics |
Affected:
0.0.0 , < 1.0.1
(semver)
Affected: 2.0.0 , < 2.3.1 (semver) |
Date Public ?
2026-01-14 17:56
Credits
Pierre Rudloff (prudloff)
Frank Mably (mably)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T21:24:05.128353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:24:09.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/pianoanalytics",
"defaultStatus": "unaffected",
"product": "AT Internet Piano Analytics",
"repo": "https://git.drupalcode.org/project/pianoanalytics",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.3.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Frank Mably (mably)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-01-14T17:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:25:50.871Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0947",
"datePublished": "2026-02-04T20:25:50.871Z",
"dateReserved": "2026-01-14T16:52:31.950Z",
"dateUpdated": "2026-02-04T21:24:09.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0946 (GCVE-0-2026-0946)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:25 – Updated: 2026-02-06 20:35
VLAI?
Title
AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AT Internet SmartTag |
Affected:
0.0.0 , < 1.0.1
(semver)
|
Date Public ?
2026-01-14 17:55
Credits
Pierre Rudloff (prudloff)
Frank Mably (mably)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:35:19.832501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:35:38.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/atsmarttag",
"defaultStatus": "unaffected",
"product": "AT Internet SmartTag",
"repo": "https://git.drupalcode.org/project/atsmarttag",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Frank Mably (mably)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-14T17:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:25:39.200Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0946",
"datePublished": "2026-02-04T20:25:39.200Z",
"dateReserved": "2026-01-14T16:52:30.774Z",
"dateUpdated": "2026-02-06T20:35:38.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}