Show advisories for only Drupal Core, only contributed projects, or only PSAs

Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016

Date: 
2026-February-25
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-3215

This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.

The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create media" and the ability to edit the node the media is being attached to.

CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

Date: 
2026-February-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:All
CVE IDs: 
CVE-2026-3214

This module enables you to protect web forms from automated spam by requiring users to pass a challenge.

The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions.

This vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens.

Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014

Date: 
2026-February-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-3213

This module enables you to block bots by Firewall.

The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or blocked by the firewall.

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Date: 
2026-February-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3212

This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.

The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

Date: 
2026-February-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-3211

This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.

The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011

Date: 
2026-February-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-3210

This module enables you to add icons to CKEditor.

The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.

UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

Date: 
2026-February-11
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-2349

This module enables you to integrate and manage icons with Drupal.

The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.

Note: this SA was edited after release to correct the risk score; there is no user authentication requirement.

Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009

Date: 
2026-February-11
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-2348

This module allows content to be edited in-place.

The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create or edit an affected field.

Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

Date: 
2026-February-04
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-1917

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin )
If they provide the access key and have a specific role they can log in.

The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.

Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

Date: 
2026-January-28
Security risk: 
Less critical 6 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-1554

This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.

The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.

This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.

Pages

Subscribe with RSS Subscribe to Security advisories