Drupal Security

Project: Disable Login PageDate: 2025-December-03Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.1.3CVE IDs: CVE-2025-13986Description: 

This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.

The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.

This vulnerability is mitigated by the fact that an attacker must already possess valid account credentials.

Solution: 

Install the latest version:

• If you use the Disable Login Page module, upgrade to Disable Login Page 1.1.3

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Anoop John (anoopjohn)
• Jijo Joseph (jijojoseph_zyxware)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Entity ShareDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <3.13.0CVE IDs: CVE-2025-13985Description: 

This module enables you to deploy content from one Drupal website to another.

The module provides some default configuration without sufficient access control.

This vulnerability is mitigated by the fact that an administrator can add some default access control permission.

Solution: 

Install the latest version:

• If you use the Entity Share module for Drupal on branch 8.x-3.x, upgrade to Entity Share 8.x-3.13.

For a hotfix without upgrading the module, edit the entity_share_client_entity_import_status view to ensure access permissions are set.

Reported By: 

• Jürgen Haas (jurgenhaas)

Fixed By: 

• Florent Torregrosa (grimreaper)
• Joachim Noreiko (joachim)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Next.jsDate: 2025-December-03Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.6.4 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-13984Description: 

This module enables integration between Next.js and Drupal for headless CMS functionality.

When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.

This vulnerability affects all installations as there are no configuration options to disable this behavior.

Solution: 

There are two steps to resolve the issue: Install the latest version and review your configuration,

1. Update the module:
   • If you use the Next.js module for Drupal 10 or 11, upgrade to Next.js 2.0.1.
   • If you use the Next.js module for Drupal 9 (1.x branch), upgrade to Next.js 1.6.4.

2. After upgrading, review the CORS configuration in sites/default/services.yml. (See this module's CORS.md for details.). This is especially important if you previously relied on the automatic CORS configuration.

Reported By: 

• Mike Decker (pookmish)

Fixed By: 

• Brian Perry (brianperry)
• Rob Decker (rrrob)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: TagifyDate: 2025-December-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.2.44CVE IDs: CVE-2025-13983Description: 

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.

The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.

Solution: 

Install the latest version:

• If you use the Tagify module for Drupal, upgrade to Tagify 1.2.44.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• David Galeano (gxleano)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Login Time RestrictionDate: 2025-December-03Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-Site Request ForgeryAffected versions: <1.0.3CVE IDs: CVE-2025-13982Description: 

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.

The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.

Solution: 

Install the latest version:

• If you use the Login Time Restriction module for Drupal, upgrade to Login Time Restriction v1.0.3.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Kunal Singh (kunal_singh)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <1.0.7 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.4CVE IDs: CVE-2025-13981Description: 

This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.

The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.

Solution: 

Install the latest version:

• If you use the AI module 1.0.x, upgrade to AI 1.0.7.
• If you use the AI module 1.1.x, upgrade to AI 1.1.7.
• If you use the AI module 1.2.x, upgrade to AI 1.2.4.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Marcus Johansson (marcus_johansson)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: CKEditor 5 Premium FeaturesDate: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0 <1.5.1 || >=1.6.0 <1.6.4CVE IDs: CVE-2025-13980Description: 

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.

This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.

This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.

Solution: 

Install the latest version:

• If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.6.4.
• If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.5.1.
• If you use the 9.x version of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.3.6.

A fix was also released to already unsupported branches. However, we recommend to use the latest version that works with the version of Drupal core that you're using:

• CKEditor 5 Premium Features 1.4.3.
• CKEditor 5 Premium Features 1.2.10.

After the module is updated, if you are using the Export to Word or Export to PDF plugins, please grant the Use exporters endpoints permission to roles that are allowed to use text formats with export plugins enabled.

Reported By: 

• Wojciech Kukowski (salmonek)

Fixed By: 

• Wojciech Kukowski (salmonek)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Mini siteDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <3.0.2CVE IDs: CVE-2025-13979Description: 

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

Solution: 

Two steps are required. Install the latest version and adjust configuration:

1. If you use Mini site 2.x or 3.x versions, upgrade to the Mini site 3.0.2.

2. A new manage minisites permission has been added. This new permission will need to be assigned to a trusted role for the user to be able to upload the zip file.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• cb_govcms

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13083Description: 

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.

In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.

This vulnerability is mitigated by the following:

1. Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
2. An attacker must know to request a file that has previously been
   requested by a more-privileged user, and that file must still be cached.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• tame4tex

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team
• Mohit Aghera (mohit_aghera)
• James Gilliland (neclimdul) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: DefacementAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13082Description: 

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.

The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Kevin Quillen (kevinquillen)

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13081Description: 

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• anzuukino

Fixed By: 

• Anna Kalata (akalata), provisional member of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13080Description: 

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.

This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).

This could be exploited in various ways:

• Broken rendering of some pages
• Unstyled or malformatted pages
• Adverse impacts on client-side functionality

Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability. The authors of the underlying library do not believe it is a source of vulnerabilities in other systems. Drupal's use of library leads to an implementation-specific vulnerability, so we've issued this advisory and reserved a CVE ID for the vulnerability in Drupal.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Dragos Dumitrescu (dragos-dumi)
• yasser ALLAM (inzo_)
• Nils Destoop (nils.destoop)
• Sven Decabooter (svendecabooter)
• zhero

Fixed By: 

• Alex Pott (alexpott) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Jen Lampton (jenlampton), provisional member of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Nils Destoop (nils.destoop)
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: 

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

Solution: 

Install the latest version:

• If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Diosbel Mezquía (dmezquia)
• Ide Braakman (idebr)
• Vitaliy Bogomazyuk (vitaliyb98)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: 

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution: 

Install the latest version:

• If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• abdulaziz zaid

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Date: 2025-November-03Description: 

The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.

Schedule change for back-to-back DrupalCons

This schedule change is due to DrupalCons Vienna and Nara overlapping the October and November core security windows. We do not schedule core security windows during DrupalCons so that site owners and agencies can attend these conferences without having to worry about their sites or clients.

December is also not typically used for core security releases due to the quick sequencing of the Drupal core minor releases and the end-of-year holidays. This would mean a period of four months where we could not provide any regularly scheduled security update.

No special release procedures

The schedule change is not due to any highly critical issue that would require special release procedures.

As a reminder, a Drupal core security window does not necessarily mean a Drupal security release will occur, only that one is possible.

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2025-October-29Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=6.0.0 <6.0.7CVE IDs: CVE-2025-12466Description: 

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.

Update: the Affected versions field was updated to reflect that this vulnerability was present in the 6.0.0 release and fixed in 6.0.7. Earlier versions of this advisory incorrectly stated that other versions were affected.

Solution: 

Install the latest version:

• If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7

Reported By: 

• coffeemakr

Fixed By: 

• Bojan Bogdanovic (bojan_dev)
• coffeemakr
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.12.0CVE IDs: CVE-2025-12083Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.

Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected.

This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site.

CivicTheme with its default permissions restricts the creation of content to content author and content approver roles.

Solution: 

Install the latest version:

• If you use the CivicTheme theme, upgrade to CivicTheme 1.12.

Reported By: 

• Adam Bramley (acbramley)
• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.12.0CVE IDs: CVE-2025-12082Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability

Specifically, when unpublished or archived nodes (CivicTheme Page and Event) are referenced via card components and placed into manually curated lists or blocks, a referenced card is rendered on the page for users who do not have permission to view unpublished content. The referenced node itself is correctly checked for permission, but the information in the card component (title, thumbnail, tags) discloses information that the user does not have access to view.

This results in:

• Draft or never-published Event node data being visible to anonymous users on cards.
• Archived content persisting in curated content lists.

This disclosure bypasses editorial expectations and may expose sensitive or internal-only content unintentionally. It does not require complex interaction or elevated permissions. It is triggered by standard reference configurations and view templates.

Solution: 

Install the latest version:

• If you use the CivicTheme theme for Drupal 10.x / 11.x, upgrade to CivicTheme-1.12.0

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Joshua Fernandes (joshua1234511)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Reverse Proxy HeaderDate: 2025-September-24Security risk: Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.1.2CVE IDs: CVE-2025-10929Description: 

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

Solution: 

To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version.

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.

How to verify:

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].

Reccomendation:

Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Bohdan Artemchuk (bohart)
• Drew Webber (mcdruid) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: CurrencyDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.5.0CVE IDs: CVE-2025-10930Description: 

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

Solution: 

Install the latest version:

• If you use the Currency module for Drupal, upgrade to Currency 8.x-3.5

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher (berdir)
• Pieter Frenssen (pfrenssen)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team