Show advisories for only Drupal Core, only contributed projects, or only PSAs

Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047

Date: 
2026-June-10
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-11915

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Composer - Critical - Unsupported - SA-CONTRIB-2026-046

Date: 
2026-June-10
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-11914

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045

Date: 
2026-June-10
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-11913

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044

Date: 
2026-June-10
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-11909

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.

The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.

Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

Date: 
2026-June-10
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-11908

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042

Date: 
2026-June-03
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-10770

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041

Date: 
2026-June-03
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-10769

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

Date: 
2026-June-03
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-49977

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

Date: 
2026-June-03
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-10768

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview.

The module doesn't sufficiently restrict access to a view of Service Contacts at which exposes the names and content items assigned to each Service Contact.

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

Date: 
2026-May-27
Security risk: 
Highly critical 22 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-9726

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

Pages

Subscribe with RSS Subscribe to Security advisories