Drupal Contrib Security

Project: Plotly.js GraphingDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: <3.0.2CVE IDs: CVE-2026-55810Description: 

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library.

The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached plotly_js_graph field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Solution: 

Install the latest version:

• If you use the Plotly.js Graphing module for Drupal, upgrade to plotly_js-3.0.2.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Flag attendance fieldDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: <1.2CVE IDs: CVE-2026-55809Description: 

The Flag attendance field module gives you the ability to add attendance by depending on Flag module.

flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached flag_attendance_field field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Solution: 

Install the latest version:

• If you use the Flag attendance field module for Drupal, upgrade to Flag attendance field 8.x-1.2.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Anas Mawlawi (anas_maw)
• Benji Fisher (benjifisher) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Formatter FieldDate: 2026-June-17Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: PHP object injectionAffected versions: <2.0.0CVE IDs: CVE-2026-12535Description: 

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis.

formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached formatter_field field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly.

Solution: 

Install the latest version:

• If you use the Formatter Field module, upgrade to Formatter Field 2.0.0.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Kostia Bohach (_shy)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Brute force attack protectionDate: 2026-June-10Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2026-11915Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: ComposerDate: 2026-June-10Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2026-11914Description: 

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Note: this is about a project for the Drupal system that makes use of composer. It is not a vulnerability in the composer software itself.

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Mother May IDate: 2026-June-10Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2026-11913Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Examples for DevelopersDate: 2026-June-10Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <4.0.6CVE IDs: CVE-2026-11909Description: 

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.

The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.

Solution: 

Any site with the file_example submodule installed should uninstall it immediately. Then, install the latest version of Examples for Developers:

• If you are using Examples for Developers 4.0.x, upgrade to Examples for Developers 4.0.6. Developers who based a new module on this example should review their code for an access bypass.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Alberto Paderno (avpaderno)
• Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: TagifyDate: 2026-June-10Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scripting (XSS)Affected versions: <1.2.52CVE IDs: CVE-2026-11908Description: 

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

Solution: 

Install the latest version of the Tagify module that includes a fix for sanitising parent term names in the Tagify dropdown rendering.

• If you use the Tagify module for Drupal, upgrade to tagify 1.2.52.

More information will be provided in the project release notes once the fixed version is published.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• David Galeano (gxleano)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: Anti-Spam by CleanTalkDate: 2026-June-03Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingAffected versions: <9.7.1CVE IDs: CVE-2026-10770Description: 

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

This vulnerability is mitigated by the fact that an attacker must be able to influence the CleanTalk cloud API response (e.g., through a man-in-the-middle attack or a compromised API server).

Solution: 

Install the latest version:

• If you use the Anti-Spam by CleanTalk module for Drupal upgrade to Anti-Spam by CleanTalk 9.7.1

Reported By: 

• Ra Mänd (ram4nd) provisional member of the Drupal Security Team

Fixed By: 

• alexandergull
• anton1211
• Ra Mänd (ram4nd) provisional member of the Drupal Security Team

Coordinated By: 

• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Commerce CoreDate: 2026-June-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingAffected versions: >= 3.3.0 < 3.3.6CVE IDs: CVE-2026-10769Description: 

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.

Solution: 

Install the latest version:

• If you use Commerce Core 3.3.x, upgrade to Commerce Core 3.3.6

Reported By: 

• Brian Willows (hsjbrianwillows)

Fixed By: 

• Jonathan Sacksick (jsacksick)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: TacJSDate: 2026-June-03Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Improper Access ControlAffected versions: <6.8CVE IDs:  CVE-2026-49977 Description: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

For additional information, see the Github Security Advisory GHSA-jxj7-g6gm-49j7 for the tarteaucitron.js library.

Solution: 

Install the latest version:

• If you use tacjs 8.x-6.x, upgrade to tacjs 8.x-6.8

Reported By: 

• Frank Mably (mably)
• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: LocalGov WorkflowsDate: 2026-June-03Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.6.0CVE IDs: CVE-2026-10768Description: 

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview.

The module doesn't sufficiently restrict access to a view of Service Contacts at which exposes the names and content items assigned to each Service Contact.

Solution: 

Install the latest version:

• If you use the LocalGov Workflows module for Drupal, upgrade to LocalGov Workflows 1.6.0

Reported By: 

• Maria Young (maria.y)

Fixed By: 

• Finn Lewis (finn lewis)
• Rupert Jabelman (rupertj)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal AlternativeCommerce (Basket)Date: 2026-May-27Security risk: Highly critical 22 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <2.1.17CVE IDs: CVE-2026-9726Description: 

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

Solution: 

Install the latest version:

• If you use the Basket module, upgrade to Basket 2.1.17.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Helena Zajika (helena zajika)
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Date iCalDate: 2026-May-13Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Information disclosureAffected versions: <4.0.15CVE IDs: CVE-2026-8495Description: 

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Solution: 

Install the latest version:

• If you use the Date iCal module for Drupal 10/11, upgrade to Date iCal 4.0.15

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Joël Pittet (joelpittet)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Colorbox InlineDate: 2026-May-13Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <2.1.1CVE IDs: CVE-2026-8493Description: 

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

• If you use the Colorbox Inline module for Drupal 8.x, upgrade to Colorbox Inline 2.1.1

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Michael Harris (miwayha)

Coordinated By: 

• Bram Driesen (bramdriesen) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: Translate Drupal with GTranslateDate: 2026-May-13Security risk: Less critical 8 ∕ 25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: DOM clobbering / link manipulationAffected versions: <3.0.5CVE IDs: CVE-2026-8492Description: 

The GTranslate module provides a language switcher widget for Drupal sites.

The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.

This vulnerability is mitigated by the fact that an attacker must be able to add HTML with attributes that are not allowed by Drupal’s default CKEditor configuration. It is also limited to sites using the paid versions of GTranslate widget JavaScript and configurations where the generated language links use script-provided values.

Solution: 

Install the latest version.

If you use the GTranslate module 3.0.x, upgrade to GTranslate 3.0.5.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Edvard Ananyan (edo888)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Node View PermissionsDate: 2026-May-13Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.7.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2026-8491Description: 

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.

Solution: 

Install the latest version:

• If you use the Node View Permissions module version 2.0.0. or prior, upgrade to 2.0.1.
• If you use the Node View Permissions module version 8.x-1.6. or prior, upgrade to 8.x-1.7.

Reported By: 

• Adam Shepherd (adamps)

Fixed By: 

• Bálint Nagy (nagy.balint)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: ObfuscateDate: 2026-April-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site scriptingAffected versions: <2.0.2CVE IDs: CVE-2026-6871Description: 

This module enables you to obfuscate email addresses in content.

The module doesn't sufficiently sanitize user input via the Twig filter.

This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.

Solution: 

Install the latest version:

• If you use the Obfuscate module, upgrade to Obfuscate 2.0.2

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Christophe Jossart (colorfield)
• Nigel Cunningham (nigelcunningham)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team

Project: OrejimeDate: 2026-April-08Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <2.0.16CVE IDs: CVE-2026-6095Description: 

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.

This vulnerability is mitigated by the fact that a text format that allows iframe-consent HTML tags with alt attributes in the necessary option (Enable JS Iframe consent) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.

Solution: 

Install the latest version:

• If you use the 2.x branch of Orejime, upgrade to Orejime 2.0.16.

Reported By: 

• Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By: 

• Fabien Gutknecht (fabsgugu)
• Pierre Rudloff (prudloff) of the Drupal Security Team

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: SAML SSO - Service Provider Date: 2026-April-01Security risk: Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Authentication bypassAffected versions: <3.1.4CVE IDs: CVE-2026-5343Description: 

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Solution: 

Install the latest version:

If you are using the SAML SSO - Service Provider module for Drupal, upgrade to SAML SSO - Service Provider 3.1.4.

Reported By: 

• Tim de Jong | Freelance Drupal Developer (tim_dj)

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team