Show advisories for only Drupal Core, only contributed projects, or only PSAs

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Date: 
2026-May-13
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-8495

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Date: 
2026-May-13
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-8493

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

Date: 
2026-May-13
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-8492

The GTranslate module provides a language switcher widget for Drupal sites.

The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Date: 
2026-May-13
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-8491

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Date: 
2026-April-22
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-6871

This module enables you to obfuscate email addresses in content.

The module doesn't sufficiently sanitize user input via the Twig filter.

This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Date: 
2026-April-15
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-6367

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.

The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Date: 
2026-April-15
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-6366

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Date: 
2026-April-15
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-6365

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.

Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032

Date: 
2026-April-08
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-6095

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Date: 
2026-April-01
Security risk: 
Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-5343

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Pages

Subscribe with RSS Subscribe to Security advisories