Newsfeed-Generator

Project: Central Authentication System (CAS) ServerDate: 2026-January-28Security risk: Less critical 6 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: XML Element InjectionAffected versions: <2.0.3 || >=2.1.0 <2.1.2CVE IDs: CVE-2026-1554Description: 

This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.

The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.

This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.

Solution: 

Install the latest version:

• If you use the CAS Server module for Drupal >=9.1.x or 10.x, upgrade to CAS Server 2.0.3
• If you use the CAS Server module for Drupal >=10.3.x or 11.x, upgrade to CAS Server 2.1.2

Reported By: 

• Gaël Gosset (gaëlg)

Fixed By: 

• Ted Cooper (elc)
• Gaël Gosset (gaëlg)
• Jaap Jansma (jaapjansma)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal CanvasDate: 2026-January-28Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2026-1553Description: 

This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease.

The module doesn't sufficiently validate access to Canvas Pages when they are unpublished.

This vulnerability is mitigated by the fact that Canvas Pages don't have content moderation enabled by default, and they must be unpublished after being released, and archiving is not a feature provided by the module yet.

Solution: 

Install the latest version:

If you use the Drupal Canvas module, upgrade to Canvas 1.0.4.

Reported By: 

• jschref

Fixed By: 

• Bálint Kléri (balintbrews)
• Matt Glaman (mglaman)
• Christian López Espínola (penyaskito)
• Tim Plunkett (tim.plunkett)

Coordinated By: 

• Alex Bronstein (effulgentsia) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: Microsoft Entra ID SSO LoginDate: 2026-January-14Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2026-0948Description: 

This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0.

The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.

Solution: 

1. If you use the Microsoft Entra ID SSO Login, update to the module's latest version Microsoft Entra ID SSO Login 2.0.0 (or Microsoft Entra ID SSO Login 1.0.4).
2. Review the release notes and module documentation for information on how to update your configuration with the new module release.
3. Site administrators should also review their security settings after upgrading and consider enabling the "Block User 1" and "Block Administrator role" options for additional protection.

Reported By: 

• Ashish Verma (ashish.verma85)
• Dheeraj Jhamtani (dheeraj jhamtani)
• Marcelo Vani (marcelovani)

Fixed By: 

• Jaseer Kinangattil (jaseerkinangattil)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: AT Internet Piano AnalyticsDate: 2026-January-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.1 || >=2.0.0 <2.3.1CVE IDs: CVE-2026-0947Description: 

This module integrates the AT Internet Piano Analytics service.

The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pianoanalytics".

Solution: 

Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.

• If you use the AT Internet Piano Analytics module for Drupal 10+, upgrade to AT Internet Piano Analytics 2.3.1
• If you use the AT Internet Piano Analytics module for Drupal 9, upgrade to AT Internet Piano Analytics 1.0.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Frank Mably (mably)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: AT Internet SmartTagDate: 2026-January-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2026-0946Description: 

This module integrates the AT Internet SmartTag service.

The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag".

Solution: 

Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.

• If you use the AT Internet SmartTag module for Drupal 9 and 10, upgrade to AT Internet SmartTag 1.0.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Frank Mably (mably)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Role DelegationDate: 2026-January-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=1.3.0 <1.5.0CVE IDs: CVE-2026-0945Description: 

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.

This vulnerability is mitigated by the fact that an attacker must have access to a view of users with the Views Bulk Operations module enabled.

Solution: 

Install the latest version:

• If you use the Role Delegation module for Drupal ^10.3 || ^11, upgrade to Role Delegation 8.x-1.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Adam Bramley (acbramley)
• Dieter Holvoet (dieterholvoet)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Group inviteDate: 2026-January-14Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4CVE IDs: CVE-2026-0944Description: 

This module enables allows group managers to invite people into their group.

The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.

This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.

Solution: 

Install the latest version:

• If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9
• If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4
• If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4

Reported By: 

• Kevin Quillen (kevinquillen)

Fixed By: 

• eduardo morales alberti
• Kevin Quillen (kevinquillen)
• Nikolay Lobachev (lobsterr)
• Ricardo Sanz Ante (tunic)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Beginn:  2026-01-08 19:30 - 22:00 Europa/Berlin Organizers:  akoe norman.lol stolzenhain Event type:  User group meeting

https://drupalberlin.de

Liebe Berliner Drupal-Community!
(English version below)

Das neue Jahr startet etwas anders als gewohnt:
Unser Januar-Meetup findet nicht am 1., sondern am 2. Donnerstag des Monats statt, also am
Donnerstag, 08. Januar 2026, um 19:30 Uhr.

Außerdem treffen wir uns diesmal nicht in der c-base, sondern sind zu Gast in Florians Office Space bei Ultrabold:

Ultrabold – Office Space
Blücherstr. 22
Hof 3 – Aufgang 6
2. OG
10961 Berlin

Für den Januar haben wir zwei spannende, eher interaktive Themen geplant:

Themen des Abends

End of Life Dates für PHP, Symfony & Drupal – Nemo
Nemo gibt uns eine kurze Session zum Projekt
https://endoflife.date/

mit besonderem Fokus auf PHP-, Symfony- und Drupal-End-of-Life-Daten:
Warum sie wichtig sind, wie man sie im Blick behält und was das konkret für unsere Projekte bedeutet.

Show & Tell: Eure Dotfiles – Norman
Ein Mitmach-Thema für alle, die Lust haben:
Norman möchte mit uns einen Blick in unsere Dotfiles werfen (.bashrc, .zshrc, etc.):

Welche kleinen Helper, Funktionen oder Aliases nutzt ihr?

Was macht euren Drupal-(oder generell Web-)Entwicklungsalltag leichter?

Vielleicht entstehen sogar neue Snippets direkt vor Ort ????️

Bringt eure Dotfiles gern mit – zum Zeigen, Diskutieren oder gemeinsamen Weiterentwickeln.

Wie immer gilt:
Wenn ihr weitere Themen, Fragen, Sorgen oder eigene Projekte habt – bringt sie gern mit oder schreibt uns vorab.

Kommt vorbei, tauscht euch aus und startet gemeinsam mit uns ins Drupal-Jahr 2026!

EN

Dear Berlin Drupal community!

The new year starts a little differently than usual:
Our January meetup will not take place on the 1st Thursday, but on the
2nd Thursday of the month – January 8th, 2026, starting at 7:30 PM.

We’ll also be meeting at a different location than usual. This time, we’re kindly hosted at Florian’s office space at Ultrabold:

Ultrabold – Office Space
Blücherstr. 22
Courtyard 3 – Stairway 6
2nd floor
10961 Berlin

We’ve planned two exciting and slightly more interactive topics for January:

Topics of the evening

End-of-Life dates for PHP, Symfony & Drupal – Nemo
Nemo will give a short session about the project
https://endoflife.date/

with a special focus on PHP, Symfony, and Drupal end-of-life timelines:
Why they matter, how to keep track of them, and what they mean for our day-to-day project work.

Show & Tell: Your dotfiles – Norman
A participatory session for everyone who’s interested:
Norman invites us to take a look at our dotfiles (.bashrc, .zshrc, etc.):

What small helpers, functions, or aliases do you use?

What makes your Drupal (or general web dev) workflow smoother?

Maybe we’ll even create some new snippets together on the spot ????️

Feel free to bring your dotfiles along – to show, discuss, or improve together.

As always:
If you have additional topics, questions, concerns, or projects you’d like to share, just bring them along or drop us a message beforehand.

Join us, connect with fellow Drupal developers, and kick off the Drupal year 2026 together!

Project: HTTP Client ManagerDate: 2025-December-17Security risk: Less critical 8 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: <9.3.13 || >=10.0.0 <10.0.2 || >=11.0.0 <11.0.1CVE IDs: CVE-2025-14840Description: 

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action (ECA) automation.

The module does not sufficiently maintain separation of data from request operations, potentially leading to information disclosure in very uncommon situations.

Solution: 

Install the latest version:

• If you use the Http Client Manager module 9.3.x, upgrade to Http Client Manager 9.3.13
• If you use the Http Client Manager module 10.0.x, upgrade to Http Client Manager 10.0.2
• If you use the Http Client Manager module 11.0.x, upgrade to Http Client Manager 11.0.1

Reported By: 

• mxh

Fixed By: 

• Adriano Cori (aronne)
• mxh

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Acquia Content HubDate: 2025-December-10Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Cross-Site Request ForgeryAffected versions: <3.6.4 || >=3.7.0 <3.7.3CVE IDs: CVE-2025-14472Description: 

This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites.

The module doesn't sufficiently protect export routes from cross-site request forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into exporting an unwanted entity.

Solution: 

Install the latest version:

• If you use Acquia Content Hub 3.6.x, upgrade to Acquia Content Hub 3.6.4.
• If you use Acquia Content Hub 3.7.x, upgrade to Acquia Content Hub 3.7.3.
• The latest version, Acquia Content Hub 3.8.0, is also now available with both the security fix and other improvements.

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Kirti Garg (kirti_garg)
• Narendra Shenvi Desai (n4r3n)
• Peter Pajor (pajor)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Disable Login PageDate: 2025-December-03Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.1.3CVE IDs: CVE-2025-13986Description: 

This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.

The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.

This vulnerability is mitigated by the fact that an attacker must already possess valid account credentials.

Solution: 

Install the latest version:

• If you use the Disable Login Page module, upgrade to Disable Login Page 1.1.3

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Anoop John (anoopjohn)
• Jijo Joseph (jijojoseph_zyxware)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Entity ShareDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <3.13.0CVE IDs: CVE-2025-13985Description: 

This module enables you to deploy content from one Drupal website to another.

The module provides some default configuration without sufficient access control.

This vulnerability is mitigated by the fact that an administrator can add some default access control permission.

Solution: 

Install the latest version:

• If you use the Entity Share module for Drupal on branch 8.x-3.x, upgrade to Entity Share 8.x-3.13.

For a hotfix without upgrading the module, edit the entity_share_client_entity_import_status view to ensure access permissions are set.

Reported By: 

• Jürgen Haas (jurgenhaas)

Fixed By: 

• Florent Torregrosa (grimreaper)
• Joachim Noreiko (joachim)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Next.jsDate: 2025-December-03Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.6.4 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-13984Description: 

This module enables integration between Next.js and Drupal for headless CMS functionality.

When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.

This vulnerability affects all installations as there are no configuration options to disable this behavior.

Solution: 

There are two steps to resolve the issue: Install the latest version and review your configuration,

1. Update the module:
   • If you use the Next.js module for Drupal 10 or 11, upgrade to Next.js 2.0.1.
   • If you use the Next.js module for Drupal 9 (1.x branch), upgrade to Next.js 1.6.4.

2. After upgrading, review the CORS configuration in sites/default/services.yml. (See this module's CORS.md for details.). This is especially important if you previously relied on the automatic CORS configuration.

Reported By: 

• Mike Decker (pookmish)

Fixed By: 

• Brian Perry (brianperry)
• Rob Decker (rrrob)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: TagifyDate: 2025-December-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.2.44CVE IDs: CVE-2025-13983Description: 

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.

The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.

Solution: 

Install the latest version:

• If you use the Tagify module for Drupal, upgrade to Tagify 1.2.44.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• David Galeano (gxleano)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Login Time RestrictionDate: 2025-December-03Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-Site Request ForgeryAffected versions: <1.0.3CVE IDs: CVE-2025-13982Description: 

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.

The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.

Solution: 

Install the latest version:

• If you use the Login Time Restriction module for Drupal, upgrade to Login Time Restriction v1.0.3.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Kunal Singh (kunal_singh)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <1.0.7 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.4CVE IDs: CVE-2025-13981Description: 

This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.

The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.

Solution: 

Install the latest version:

• If you use the AI module 1.0.x, upgrade to AI 1.0.7.
• If you use the AI module 1.1.x, upgrade to AI 1.1.7.
• If you use the AI module 1.2.x, upgrade to AI 1.2.4.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Marcus Johansson (marcus_johansson)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: CKEditor 5 Premium FeaturesDate: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0 <1.5.1 || >=1.6.0 <1.6.4CVE IDs: CVE-2025-13980Description: 

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.

This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.

This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.

Solution: 

Install the latest version:

• If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.6.4.
• If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.5.1.
• If you use the 9.x version of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.3.6.

A fix was also released to already unsupported branches. However, we recommend to use the latest version that works with the version of Drupal core that you're using:

• CKEditor 5 Premium Features 1.4.3.
• CKEditor 5 Premium Features 1.2.10.

After the module is updated, if you are using the Export to Word or Export to PDF plugins, please grant the Use exporters endpoints permission to roles that are allowed to use text formats with export plugins enabled.

Reported By: 

• Wojciech Kukowski (salmonek)

Fixed By: 

• Wojciech Kukowski (salmonek)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Mini siteDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <3.0.2CVE IDs: CVE-2025-13979Description: 

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

Solution: 

Two steps are required. Install the latest version and adjust configuration:

1. If you use Mini site 2.x or 3.x versions, upgrade to the Mini site 3.0.2.

2. A new manage minisites permission has been added. This new permission will need to be assigned to a trusted role for the user to be able to upload the zip file.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• cb_govcms

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13083Description: 

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.

In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.

This vulnerability is mitigated by the following:

1. Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
2. An attacker must know to request a file that has previously been
   requested by a more-privileged user, and that file must still be cached.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• tame4tex

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team
• Mohit Aghera (mohit_aghera)
• James Gilliland (neclimdul) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: DefacementAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13082Description: 

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.

The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Kevin Quillen (kevinquillen)

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team