Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

CVE-2026-3212 Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Tagify allows Cross-Site Scripting XSS.This issue affects Tagify: from 0.0.0 before 1.2.49...

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. A visitor who successfully logs in to their Identity Provider and ...

Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014

This module enables you to block bots by Firewall. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or...

Next.js - Critical - Access bypass - SA-CONTRIB-2025-122

This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...

CVE-2025-12083 CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting XSS.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0...

CVE-2025-10930 Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110

Cross-Site Request Forgery CSRF vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0...

CVE-2025-9554 Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104

Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2:...

CVE-2025-9552

CVE-2025-9552 concerns the Drupal module Synchronize composer.Json With Contrib Modules . Public descriptions in connected documents indicate a vulnerability affecting the module in general (versions not specified). The NVD/NVD-derived metrics show a CVSS 3.1 base score of 5.3 (Medium) with an at...

Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098

This module allows users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. CVSS risk score experimental 6.3 / Medium...

CVE-2025-8996 Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0...

CVE-2025-6675 Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0., from 0.0.0 before 5.1...

CVE-2025-47701 Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

Cross-Site Request Forgery CSRF vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.This issue affects Restrict route by IP: from 0.0.0 before 1.3.0...

CVE-2025-3739

CVE-2025-3739 : A vulnerability in Drupal 8 Google Optimize Hide Page affects the Drupal 8 Google Optimize Hide Page module. The CVSSv3.1 metrics indicate a network attack vector, high attack complexity, and that an attacker requires high privileges with no user interaction to achieve a Confident...

CVE-2025-3061 Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006

Vulnerability in Drupal Material Admin.This issue affects Material Admin:...

CVE-2025-3060 Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005

Vulnerability in Drupal Flattern – Multipurpose Bootstrap Business Profile.This issue affects Flattern – Multipurpose Bootstrap Business Profile:...

OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...

CVE-2024-13300 Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066

Vulnerability in Drupal Print Anything.This issue affects Print Anything:...

CVE-2024-13292

CVE-2024-13292 – Drupal Tooltip is an XSS flaw in the Tooltip module, affected versions 0.0.0 through 1.1.2. The root cause is improper neutralization of input during web page generation, enabling cross-site scripting. Public references indicate this vulnerability is an authenticated XSS scenario...