The Email TFA module provides additional email-based two-factor authentication for Drupal logins.
In certain scenarios, the module does not fully protect all login mechanisms as expected.
This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.
The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.
This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.
The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.
CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.
CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.
CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.
The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability
This module allows you to specify an HTTP header name to determine the client's IP address.
The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.
This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.
This module allows you to use different currencies on your website and do currency conversion.
The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.
This module enables you to add Umami Analytics web statistics tracking system to your website.
The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.
This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.
This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.
