Drupal Contrib Security
Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013
This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.
The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.
Solution:Install the latest version:
- If you use the Tagify module, upgrade to Tagify 1.2.49 or later.
- David López (akalam)
- Mingsong (mingsong) provisional member of the Drupal Security Team
- David López (akalam)
- David Galeano (gxleano)
- Mingsong (mingsong) provisional member of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Dan Smith (galooph) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.
The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.
This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.
Solution:Install the latest version:
- If you use the Theme Negotiation by Rules module, upgrade to Theme Negotiation by Rules 1.2.1.
- Juraj Nemec (poker10) of the Drupal Security Team
- Zoltan Attila Horvath (huzooka)
- Juraj Nemec (poker10) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
This module enables you to add icons to CKEditor.
The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.
Solution:Install the latest version and review permissions:
- If you use the Material Icons module for Drupal, upgrade to Material Icons 2.0.4.
- Assign the newly created "use material icons" permission to users who should have access to the widgets.
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
This module enables you to integrate and manage icons with Drupal.
The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.
The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.
Note: this SA was edited after release to correct the risk score; there is no user authentication requirement.
Solution:Install the latest version:
- If you use the UI Icons module upgrade to UI Icons 1.0.1 or UI Icons 1.1.1
- Drew Webber (mcdruid) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009
This module allows content to be edited in-place.
The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to create or edit an affected field.
Solution:Install the latest version:
Reported By:- Drew Webber (mcdruid) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin )
If they provide the access key and have a specific role they can log in.
The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.
Solution:Install the latest version:
- If you use the Login Disable module, upgrade to Login Disable 2.1.3
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
- Boris Doesborg (batigolix)
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007
This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.
The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.
This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.
Solution:Install the latest version:
- If you use the CAS Server module for Drupal >=9.1.x or 10.x, upgrade to CAS Server 2.0.3
- If you use the CAS Server module for Drupal >=10.3.x or 11.x, upgrade to CAS Server 2.1.2
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease.
The module doesn't sufficiently validate access to Canvas Pages when they are unpublished.
This vulnerability is mitigated by the fact that Canvas Pages don't have content moderation enabled by default, and they must be unpublished after being released, and archiving is not a feature provided by the module yet.
Solution:Install the latest version:
If you use the Drupal Canvas module, upgrade to Canvas 1.0.4.
Reported By: Fixed By:- Bálint Kléri (balintbrews)
- Matt Glaman (mglaman)
- Christian López Espínola (penyaskito)
- Tim Plunkett (tim.plunkett)
- Alex Bronstein (effulgentsia) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0.
The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.
Solution:- If you use the Microsoft Entra ID SSO Login, update to the module's latest version Microsoft Entra ID SSO Login 2.0.0 (or Microsoft Entra ID SSO Login 1.0.4).
- Review the release notes and module documentation for information on how to update your configuration with the new module release.
- Site administrators should also review their security settings after upgrading and consider enabling the "Block User 1" and "Block Administrator role" options for additional protection.
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004
This module integrates the AT Internet Piano Analytics service.
The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pianoanalytics".
Solution:Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.
- If you use the AT Internet Piano Analytics module for Drupal 10+, upgrade to AT Internet Piano Analytics 2.3.1
- If you use the AT Internet Piano Analytics module for Drupal 9, upgrade to AT Internet Piano Analytics 1.0.1
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003
This module integrates the AT Internet SmartTag service.
The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag".
Solution:Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.
- If you use the AT Internet SmartTag module for Drupal 9 and 10, upgrade to AT Internet SmartTag 1.0.1
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission.
The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.
This vulnerability is mitigated by the fact that an attacker must have access to a view of users with the Views Bulk Operations module enabled.
Solution:Install the latest version:
- If you use the Role Delegation module for Drupal ^10.3 || ^11, upgrade to Role Delegation 8.x-1.5
- Drew Webber (mcdruid) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
This module enables allows group managers to invite people into their group.
The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.
This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.
Solution:Install the latest version:
- If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9
- If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4
- If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4
- eduardo morales alberti
- Kevin Quillen (kevinquillen)
- Nikolay Lobachev (lobsterr)
- Ricardo Sanz Ante (tunic)
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Neue Kommentare
vor 15 Stunden 45 Minuten
vor 2 Tagen 21 Stunden
vor 4 Tagen 15 Stunden
vor 4 Tagen 23 Stunden
vor 2 Wochen 3 Tagen
vor 3 Wochen 10 Stunden
vor 7 Wochen 2 Tagen
vor 7 Wochen 2 Tagen
vor 7 Wochen 2 Tagen
vor 7 Wochen 2 Tagen