Newsfeed-Generator

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3526Description: 

This module moves files to and from private storage depending on the access of its owning entities.

The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances.

This vulnerability is mitigated by the fact that saving an entity a second time resolves the issue.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3525Description: 

This module moves files to and from private storage depending on the access of its owning entities.
The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Responsive FaviconsDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: <2.0.2CVE IDs: CVE-2026-3218Description: 

This module adds the favicons generated by realfavicongenerator.net to your Drupal site.

The module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive favicons".

Solution: 

Install the latest version, then confirm the permissions associated with the module are assigned to appropriate roles.

• If you use the Responsive Favicons module version 2.0.1 or lower, upgrade to Responsive Favicons 2.0.2.
• 4.x and 3.x branches are not affected by this vulnerability.

Reported By: 

• Simon Bäse (simonbaese)

Fixed By: 

• Frank Mably (mably)
• Sean Hamlin (wiifm)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: SAML SSO - Service Provider Date: 2026-February-25Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingAffected versions: <3.1.3CVE IDs: CVE-2026-3217Description: 

This module enables you to perform SAML protocol-based single sign-on (SSO) on a Drupal site.

The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you are using the "SAML SSO- Service Provider" module for Drupal, upgrade to SAML SSO- Service Provider 3.1.3.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal CanvasDate: 2026-February-25Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Server-side request forgery, Information disclosureAffected versions: <1.1.1CVE IDs: CVE-2026-3216Description: 

This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers.

The project has a hidden sub-module, Drupal Canvas AI, which is disabled by default. It is typically enabled as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush). When the submodule is enabled, the following vulnerability is exposed.

The module doesn't sufficiently sanitize user-supplied data via crafted API requests within the messages JSON payload.

It is mitigated by the fact that an attacker must have a role with the permission "use Drupal Canvas AI".

How the Canvas AI sub-module gets enabled: As a hidden submodule, canvas_ai is not intended for manual activation via the UI. It is designed to be pulled in as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush).

Solution: 

Install the latest version:

• If you use the Drupal Canvas module, upgrade to Drupal Canvas 1.1.1 .

Sites witthout the hidden submodule enabled are not vulnerable. The module is hidden from the UI module list, but admins can verify its status via the command line: drush config:get core.extension | grep canvas_ai

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Bálint Kléri (balintbrews)
• Ignacio Sánchez Holgueras (isholgueras)
• Drew Webber (mcdruid) of the Drupal Security Team
• Narendra Singh Rathore (narendrar)
• Christian López Espínola (penyaskito)
• Tim Plunkett (tim.plunkett)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Islandora Date: 2026-February-25Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Arbitrary file upload, Cross-site scriptingAffected versions: <2.17.5CVE IDs: CVE-2026-3215Description: 

This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.

The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create media" and the ability to edit the node the media is being attached to.

Solution: 

Install the latest version:

• If you use the Islandora module, upgrade to Islandora 2.17.5.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Joe Corall (joecorall)
• Rosie Le Faive (rosiel)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: CAPTCHADate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:AllVulnerability: Access bypassAffected versions: <1.17.0 || >=2.0.0 < 2.0.10CVE IDs: CVE-2026-3214Description: 

This module enables you to protect web forms from automated spam by requiring users to pass a challenge.

The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions.

This vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens.

Solution: 

Install the latest version:

• If you use the Captcha module 2.0.x, upgrade to Captcha 2.0.10.
• If you use the Captcha module 8.x-1.x, upgrade to Captcha 8.x-1.17.

Reported By: 

• Andrew Wang (andrew.wang)
• Andrew Belcher (andrewbelcher)
• Chris Dudley (dudleyc)
• M Parker (mparker17)
• tamasd
• Tim Wood (timwood)

Fixed By: 

• Denis K**** (dench0)
• Joshua Sedler (grevil)
• Jakob P (japerry)
• Adam Nagy (joevagyok)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Michael Hess (mlhess) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Anti-Spam by CleanTalkDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site scriptingAffected versions: <9.7.0CVE IDs: CVE-2026-3213Description: 

This module enables you to block bots by Firewall.

The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or blocked by the firewall.

Solution: 

Install the latest version:

• If you use the Anti-Spam by CleanTalk module for Drupal, upgrade to Anti-Spam by CleanTalk 9.7.0.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• glomberg
• Drew Webber (mcdruid) of the Drupal Security Team
• sergefcleantalk

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: TagifyDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.2.49CVE IDs: CVE-2026-3212Description: 

This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.

The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.

Solution: 

Install the latest version:

• If you use the Tagify module, upgrade to Tagify 1.2.49 or later.

Reported By: 

• David López (akalam)
• Mingsong (mingsong) provisional member of the Drupal Security Team

Fixed By: 

• David López (akalam)
• David Galeano (gxleano)
• Mingsong (mingsong) provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Dan Smith (galooph) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Theme Negotiation by RulesDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site request forgeryAffected versions: <1.2.1CVE IDs: CVE-2026-3211Description: 

This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.

The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.

Solution: 

Install the latest version:

• If you use the Theme Negotiation by Rules module, upgrade to Theme Negotiation by Rules 1.2.1.

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Zoltan Attila Horvath (huzooka)
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Material IconsDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.4CVE IDs: CVE-2026-3210Description: 

This module enables you to add icons to CKEditor.

The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.

Solution: 

Install the latest version and review permissions:

1. If you use the Material Icons module for Drupal, upgrade to Material Icons 2.0.4.
2. Assign the newly created "use material icons" permission to users who should have access to the widgets.

Reported By: 

• Jen M (jannakha)

Fixed By: 

• Bryan Sharpe (b_sharpe)
• Jen M (jannakha)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: UI IconsDate: 2026-February-11Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.1 || >=1.1.0 <1.1.1CVE IDs: CVE-2026-2349Description: 

This module enables you to integrate and manage icons with Drupal.

The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.

Note: this SA was edited after release to correct the risk score; there is no user authentication requirement.

Solution: 

Install the latest version:

• If you use the UI Icons module upgrade to UI Icons 1.0.1 or UI Icons 1.1.1

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Jean Valverde (mogtofu33)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Quick EditDate: 2026-February-11Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.5 || >=2.0.0 <2.0.1CVE IDs: CVE-2026-2348Description: 

This module allows content to be edited in-place.

The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create or edit an affected field.

Solution: 

Install the latest version:

• If you use the QuickEdit module, upgrade to 2.0.1 or 1.0.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Derek Wright (dww)
• Vladimir Roudakov (vladimiraus)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Login DisableDate: 2026-February-04Security risk: Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.1.3CVE IDs: CVE-2026-1917Description: 

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin )
If they provide the access key and have a specific role they can log in.

The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.

Solution: 

Install the latest version:

• If you use the Login Disable module, upgrade to Login Disable 2.1.3

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Boris Doesborg (batigolix)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Beginn:  2026-02-05 19:30 - 21:30 Europa/Berlin Organizers:  stolzenhain norman.lol akoe Event type:  User group meeting

https://drupal.berlin

Dear Berlin Drupal community / Liebe Berliner Drupal-Community!
(German version below)

At the February Drupal User Group Berlin on Thursday, 5 February at 7:30 p.m. at c-base, we will be doing a show & tell on productivity workflows.
It will be short, practical and based on real everyday development:
* How do we set up a new computer?
* Which dotfiles (.bashrc, .editorconfig, etc.) help you get through your daily routine
* Without these Drush aliases and justfile, our workflows would be impossible

Drupal turned 25 since the last DUG, and we're asking ourselves: what does that mean for us (besides the fact that we've gotten older)?
So this time, no lectures, but demos, exchanges and perhaps a little Drupal history romance, and as usual, all in the seminar room of the cosiest space on earth: c-base.

DE

Zur Februar Drupal User Group Berlin am Donnerstag 5. Februar 19:30 Uhr in der c-base machen wir ein Show & Tell zu Produktivitäts-Workflows.
Es soll kurz, praktisch und aus dem echten Entwicklungsalltag werden:
* wie richtet wir einen Computer neu ein
* welche Dotfiles (.bashrc, .editorconfig & Co.) bringen euch durch den Alltag
* ohne diese Drush Aliase und das justfile geht bei unseren Workflows gar nix

Drupal ist seit der letzten DUG 25 Jahre alt geworden und wir fragen uns gemeinsam: was bedeutet das für uns (außer dass wir älter geworden sind)?
Also dieses Mal keine Vorträge, sondern Demos, Austausch und vielleicht etwas Drupal History Romantik und das Ganze wie gewohnt im Seminarraum des gemütlichsten Weltraums auf Erden: der c-base.

Project: Central Authentication System (CAS) ServerDate: 2026-January-28Security risk: Less critical 6 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: XML Element InjectionAffected versions: <2.0.3 || >=2.1.0 <2.1.2CVE IDs: CVE-2026-1554Description: 

This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.

The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.

This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.

Solution: 

Install the latest version:

• If you use the CAS Server module for Drupal >=9.1.x or 10.x, upgrade to CAS Server 2.0.3
• If you use the CAS Server module for Drupal >=10.3.x or 11.x, upgrade to CAS Server 2.1.2

Reported By: 

• Gaël Gosset (gaëlg)

Fixed By: 

• Ted Cooper (elc)
• Gaël Gosset (gaëlg)
• Jaap Jansma (jaapjansma)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal CanvasDate: 2026-January-28Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2026-1553Description: 

This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease.

The module doesn't sufficiently validate access to Canvas Pages when they are unpublished.

This vulnerability is mitigated by the fact that Canvas Pages don't have content moderation enabled by default, and they must be unpublished after being released, and archiving is not a feature provided by the module yet.

Solution: 

Install the latest version:

If you use the Drupal Canvas module, upgrade to Canvas 1.0.4.

Reported By: 

• jschref

Fixed By: 

• Bálint Kléri (balintbrews)
• Matt Glaman (mglaman)
• Christian López Espínola (penyaskito)
• Tim Plunkett (tim.plunkett)

Coordinated By: 

• Alex Bronstein (effulgentsia) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team