Newsfeed-Generator

Project: Date iCalDate: 2026-May-13Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Information disclosureAffected versions: <4.0.15CVE IDs: CVE-2026-8495Description: 

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Solution: 

Install the latest version:

• If you use the Date iCal module for Drupal 10/11, upgrade to Date iCal 4.0.15

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Joël Pittet (joelpittet)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Colorbox InlineDate: 2026-May-13Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <2.1.1CVE IDs: CVE-2026-8493Description: 

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

• If you use the Colorbox Inline module for Drupal 8.x, upgrade to Colorbox Inline 2.1.1

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Michael Harris (miwayha)

Coordinated By: 

• Bram Driesen (bramdriesen) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: Translate Drupal with GTranslateDate: 2026-May-13Security risk: Less critical 8 ∕ 25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: DOM clobbering / link manipulationAffected versions: <3.0.5CVE IDs: CVE-2026-8492Description: 

The GTranslate module provides a language switcher widget for Drupal sites.

The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.

This vulnerability is mitigated by the fact that an attacker must be able to add HTML with attributes that are not allowed by Drupal’s default CKEditor configuration. It is also limited to sites using the paid versions of GTranslate widget JavaScript and configurations where the generated language links use script-provided values.

Solution: 

Install the latest version.

If you use the GTranslate module 3.0.x, upgrade to GTranslate 3.0.5.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Edvard Ananyan (edo888)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Node View PermissionsDate: 2026-May-13Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.7.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2026-8491Description: 

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.

Solution: 

Install the latest version:

• If you use the Node View Permissions module version 2.0.0. or prior, upgrade to 2.0.1.
• If you use the Node View Permissions module version 8.x-1.6. or prior, upgrade to 8.x-1.7.

Reported By: 

• Adam Shepherd (adamps)

Fixed By: 

• Bálint Nagy (nagy.balint)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: ObfuscateDate: 2026-April-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site scriptingAffected versions: <2.0.2CVE IDs: CVE-2026-6871Description: 

This module enables you to obfuscate email addresses in content.

The module doesn't sufficiently sanitize user input via the Twig filter.

This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.

Solution: 

Install the latest version:

• If you use the Obfuscate module, upgrade to Obfuscate 2.0.2

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Christophe Jossart (colorfield)
• Nigel Cunningham (nigelcunningham)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: Drupal coreDate: 2026-April-15Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6367Description: 

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.

The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.

Solution: 

Install the latest version:

• If you use Drupal 11.3.x, update to Drupal 11.3.7
• Drupal versions below 11.3 are not affected by this vulnerability

Reported By: 

• cantina_security
• Dries Buytaert (dries)
• Shirsendu Mondal

Fixed By: 

• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2026-April-15Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget ChainAffected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6366Description: 

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

• If you use Drupal 10.5.x, update to Drupal 10.5.9.
• If you use Drupal 10.6.x, update to Drupal 10.6.7.
• If you use Drupal 11.2.x, update to Drupal 11.2.11.
• If you use Drupal 11.3.x, update to Drupal 11.3.7.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Truong Le (hswww)
• menon
• t-chen

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2026-April-15Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7CVE IDs: CVE-2026-6365Description: 

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use Drupal 10.5.x, update to Drupal 10.5.9.
• If you use Drupal 10.6.x, update to Drupal 10.6.7.
• If you use Drupal 11.2.x, update to Drupal 11.2.11.
• If you use Drupal 11.3.x, update to Drupal 11.3.7.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Murat Kekiç (murat_kekic)

Fixed By: 

• Anna Kalata (akalata) of the Drupal Security Team
• Benji Fisher (benjifisher) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Michael Hess (mlhess) of the Drupal Security Team
• James Gilliland (neclimdul) of the Drupal Security Team
• Joseph Zhao (pandaski) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: OrejimeDate: 2026-April-08Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <2.0.16CVE IDs: CVE-2026-6095Description: 

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.

This vulnerability is mitigated by the fact that a text format that allows iframe-consent HTML tags with alt attributes in the necessary option (Enable JS Iframe consent) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.

Solution: 

Install the latest version:

• If you use the 2.x branch of Orejime, upgrade to Orejime 2.0.16.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Fabien Gutknecht (fabsgugu)
• Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: SAML SSO - Service Provider Date: 2026-April-01Security risk: Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Authentication bypassAffected versions: <3.1.4CVE IDs: CVE-2026-5343Description: 

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Solution: 

Install the latest version:

If you are using the SAML SSO - Service Provider module for Drupal, upgrade to SAML SSO - Service Provider 3.1.4.

Reported By: 

• Tim de Jong | Freelance Drupal Developer (tim_dj)

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Beginn:  2026-04-02 19:30 - 21:30 Europa/Berlin Organizers:  norman.lol stolzenhain akoe Event type:  User group meeting

https://drupal.berlin

Dear Berlin Drupal community / Liebe Berliner Drupal-Community!
(German version below)

At our next Drupal User Group, we’re trying something new Small-group, hands-on digging where you drive the learning. No lectures—just real-world tinkering, collaboration, and quick wins.

How It Works

1. We pick 1 or 2 topics (or suggest your own!) like: How to use Media Module future proof and with ease?
2. Form small groups per topic(3–5 people, 45min): Team up with peers and try to find a nice approach to your topic.
3. Share your takeaways afterwards with all of us: No pressure, no perfection – just practical insights!

Why we want to try this?

• Solve real problems you face right now, maybe bring a local copy of your website and let's have a look!
• Learn from peers – not just experts.
• Walk away with actionable tips (no fluff!).

When 02. April 2026, 7:30 pm
Where Ultrabold – Office Space
Blücherstr. 22
Courtyard 3 – Stairway 6
2nd floor
10961 Berlin

Livestream
If you can’t join us in person, you can also watch the meetup via livestream:
https://talks.drupal.de/nor-508-xdo-ihf

DE:

Die Berliner Usergroup krempelt die Ärmel hoch und arbeitet praxisnah

Bei unserem nächsten Drupal-Treffen probieren wir etwas Neues: Wir teilen uns in kleine Gruppen und beschäftigen uns mit praktischen Fragen und Problemen. Keine langen Reden, sondern einfach machen, zusammenarbeiten und schnell Erfolg haben.

So stellen wir uns das vor

1. Wir wählen 1 oder 2 Themen aus (oder ihr bringt Vorschläge mit!), zum Beispiel: Wir schauen, wie du das Media-Modul zukunftssicher und einfach nutzt.
2. Wir bilden kleine Gruppen zu je 3 bis 5 Personen und diskutieren/probieren ca. 45 Minuten lang zu einem Thema eurer Wahl. Wir versuchen gemeinsam, einen guten Ansatz für euer Thema zu finden.
3. Teilt anschließend eure Erkenntnisse mit uns allen: Keine Perfektion, kein Druck – nur praktische Einblicke!

Warum wollen wir das ausprobieren?

• Löst echte Probleme, mit denen ihr gerade konfrontiert seid. Bringt vielleicht eine lokale Kopie eurer Website mit, damit wir sie uns ansehen können!
• Lernt von Kollegen – nicht nur von Experten.
• Nimm mit umsetzbare Tipps mit nach Hause (keine langen Reden!).

Wann: 2. April 2026 · 19:30 Uhr

Wo: Ultrabold – Office Space
Blücherstr. 22
Hof 3 – Aufgang 6
2. OG
10961 Berlin

Livestream
Wer nicht vor Ort dabei sein kann, kann das Meetup auch per Livestream verfolgen:
https://talks.drupal.de/nor-508-xdo-ihf

Project: Automated LogoutDate: 2026-March-18Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-site request forgeryAffected versions: <1.7.0 || >=2.0.0 <2.0.2CVE IDs: CVE-2026-4393Description: 

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

Solution: 

Install the latest version:

• If you use Automated Logout 8.x-1.x version 8.x-1.6 or lower, upgrade to autologout 8.x-1.7.
• If you use Automated Logout 2.x version 2.0.1 or lower, upgrade to autologout 2.0.2.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ajit Shinde (ajits)
• Jakob P (japerry)
• Gareth Alexander (the_g_bomb)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Unpublished Node PermissionsDate: 2026-March-11Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.7.0CVE IDs: CVE-2026-4933Description: 

This module creates permissions per node content type to control access to unpublished nodes per content type.

The module does not consistently control access for unpublished translated nodes.

Solution: 

Install the latest version:

• If you use the Unpublished Node Permissions module, upgrade to Unpublished Node Permissions 8.x-1.7.

Reported By: 

• Andre Groendijk (groendijk)

Fixed By: 

• Fabien Gutknecht (fabsgugu)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2026-March-11Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <1.1.11 || >=1.2.0 <1.2.12CVE IDs: CVE-2026-3573Description: 

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the context of the LLM request.

Solution: 

Install the latest version:

• If you use the AI module 1.1 or earlier, upgrade to AI 1.1.11.
• If you use the AI module 1.2, upgrade to AI 1.2.12.

Reported By: 

• Marcus Johansson (marcus_johansson)

Fixed By: 

• Artem Dmitriiev (a.dmitriiev)
• Abhisek Mazumdar (abhisekmazumdar)
• Dave Long (longwave) of the Drupal Security Team
• Marcus Johansson (marcus_johansson)
• Valery Lourie (valthebald)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3532Description: 

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

Solution: 

Install the latest version:

• If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.

Reported By: 

• Eric Smith (ericgsmith)

Fixed By: 

• Philip Frilling (pfrilling)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3531Description: 

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.

Solution: 

Install the latest version:

• If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Reported By: 

• Kimberley Massey (kimberleycgm)

Fixed By: 

• Kimberley Massey (kimberleycgm)
• Philip Frilling (pfrilling)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Server-side request forgery, Information disclosureAffected versions: <1.5.0CVE IDs: CVE-2026-3530Description: 

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures.

This vulnerability is mitigated by:
- an attacker must have access to the identity provider to provide compromised data at the source profile.
- a site must have specific field mappings configured

Solution: 

Install the latest version:

• If you use the OpenID Connect 8.x-1.x module upgrade to OpenID Connect 8.x-1.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Drew Webber (mcdruid) of the Drupal Security Team
• Philip Frilling (pfrilling)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Google Analytics GA4Date: 2026-March-04Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.1.14CVE IDs: CVE-2026-3529Description: 

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.

This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.

An attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.

Note: this advisory initially suggested it was fixed in the 1.1.13 release, but the 1.1.13 releaes was missing the fix. Users of this module should switch to the 1.1.14 release.

Solution: 

Install the latest version:

• If you use the Google Analytics GA4 module, upgrade to Google Analytics GA4 1.1.14

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Sujan Shrestha (sujan shrestha)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Calculation FieldsDate: 2026-March-04Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.0.4CVE IDs: CVE-2026-3528Description: 

This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration.

The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting (XSS).

Solution: 

Install the latest version:

• If you use the Calculation fields module, upgrade to Calculation fields 1.0.4

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Joao Paulo Constantino (joaopauloc.dev)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: AJAX DashboardDate: 2026-March-04Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <3.1.0CVE IDs: CVE-2026-3527Description: 

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons.

The module doesn't sufficiently check access on the dashboard configuration route. Unauthorized users could access the entity dashboard configuration page and either enable or disable dashboards. The affected administration page does not permit editing the configurations of the dashboards themselves.

The vulnerability is mitigated by the fact that the AJAX Dashboard Entity Dashboard submodule must be enabled.

Solution: 

Install the latest version of the AJAX Dashboard module, which includes the update to AJAX Dashboard: Entity Dashboards:

• If you use the AJAX Dashboard module, upgrade to AJAX Dashboard 3.1.0

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Michael Nolan (laboratory.mike)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team