Newsfeed-Generator

Project: AJAX DashboardDate: 2026-March-04Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <3.1.0CVE IDs: CVE-2026-3527Description: 

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons.

The module doesn't sufficiently check access on the dashboard configuration route. Unauthorized users could access the entity dashboard configuration page and either enable or disable dashboards. The affected administration page does not permit editing the configurations of the dashboards themselves.

The vulnerability is mitigated by the fact that the AJAX Dashboard Entity Dashboard submodule must be enabled.

Solution: 

Install the latest version of the AJAX Dashboard module, which includes the update to AJAX Dashboard: Entity Dashboards:

• If you use the AJAX Dashboard module, upgrade to AJAX Dashboard 3.1.0

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Michael Nolan (laboratory.mike)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3526Description: 

This module moves files to and from private storage depending on the access of its owning entities.

The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances.

This vulnerability is mitigated by the fact that saving an entity a second time resolves the issue.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3525Description: 

This module moves files to and from private storage depending on the access of its owning entities.
The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team