DRUPAL-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

PT-2025-44358

Name of the Vulnerable Software and Affected Versions Drupal Currency versions prior to 3.5.0 Description A Cross-Site Request Forgery CSRF issue exists in Drupal Currency. This allows attackers to perform actions on behalf of authenticated users without their knowledge. CSRF occurs when a...

PT-2025-44359

Name of the Vulnerable Software and Affected Versions Drupal Umami Analytics versions prior to 1.0.1 Description A flaw exists in Drupal Umami Analytics that allows for Cross-Site Scripting XSS. This issue arises from improper neutralization of input during web page generation. The vulnerability...

PT-2025-44357

Name of the Vulnerable Software and Affected Versions Drupal Reverse Proxy Header versions prior to 1.1.2 Description An improper validation of consistency within input exists in Drupal Reverse Proxy Header, allowing manipulation of user-controlled variables. Recommendations Update to version 1.1...

PT-2025-44362

Name of the Vulnerable Software and Affected Versions Drupal Simple OAuth OAuth2 & OpenID Connect versions 6.0.0 through 6.0.6 Description A flaw exists in Simple OAuth OAuth2 & OpenID Connect that permits authentication bypass. This issue allows bypassing normal authentication mechanisms through...

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

PT-2025-44356

Name of the Vulnerable Software and Affected Versions Drupal Access code versions prior to 2.0.5 Description An improper restriction of excessive authentication attempts exists in Drupal Access code, potentially allowing brute force attacks. The issue impacts the Access code module. Recommendatio...

PT-2025-44361

Name of the Vulnerable Software and Affected Versions Drupal CivicTheme Design System versions prior to 1.12.0 Description A flaw exists in the CivicTheme Design System that allows for Cross-Site Scripting XSS. This occurs due to improper neutralization of input during web page generation. The...

PT-2025-44354

Name of the Vulnerable Software and Affected Versions Drupal JSON Field versions prior to 1.5 Description A flaw exists in Drupal JSON Field that allows for Cross-Site Scripting XSS. This issue is due to improper neutralization of input during web page generation. Successful exploitation could...

PT-2025-44355

Name of the Vulnerable Software and Affected Versions Drupal Plausible tracking versions prior to 1.0.2 Description The Plausible tracking component contains a flaw due to improper input neutralization during web page generation, leading to a Cross-Site Scripting XSS issue. This allows for the...

DRUPAL-CONTRIB-2025-113

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...

CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...

Drupal CivicTheme Design System module < 1.12.0 - Unauthenticated Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure vulnerability discovered by Lee Rowlands larowlan in WordPress Module CivicTheme Design System versions 1.12.0...

Drupal CivicTheme Design System module < 1.12.0 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Adam Bramley acbramley in WordPress Module CivicTheme Design System versions 1.12.0...

CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manu...

CVE-2025-11570

Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting XSS due to insufficient filtering of data. Note: This is exploitable only if the code is executed outside of Drupal; the function is intended to be shared between Drupal and Patter...

EUVD-2025-33789

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0...

EUVD-2025-33787

Vulnerability in Drupal API Key manager.This issue affects API Key manager:...

EUVD-2025-33788

Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules:...

EUVD-2025-33785

Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2:...