Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes. This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" or...

UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule...

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

This module enables you to provide SEO analysis and recommendations for a given URL. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075

This module provides a format filter, which allows you to "disable" certain HTML elements e.g. remove their src attribute specified by the user. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attribute...

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

This module provides a block to easily display a rendered node. The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes...

Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...

Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042

This module enables you to put a site wide bootstrap themed alert message on the top of every page. The module doesn't sufficiently filter text input when leading to a possible XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administ...

Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

This module provides a block that renders a link providing the functionality of a browser's back button. The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allo...

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have ...

Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006

This module enables you to add social sharing buttons to a site. The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

This module enables you to set content permissions based on taxonomy terms. The module doesn't sufficiently restrict access to translated and unpublished nodes. This vulnerability is mitigated by the fact that it only affects sites with translated content...

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in...

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...

Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020

Update 2022-05-04: Existing maintainers have updated the project to clarify that the module did not contain a security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...

Vendor Stream Wrapper - Moderately critical - Unsupported - SA-CONTRIB-2022-019

This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...

Cog - Critical - Unsupported - SA-CONTRIB-2022-018

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022

This module provides a revision UI for Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021

This module provides a revision UI for Linky entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided...

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

This module provides a revision UI to Linky entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided ...

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

This module enables you to use the current URL path alias and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitize editor input in certain circumstances leading ...

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

This module enables you to build forms and surveys in Drupal. The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which...

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

The Profile module enables you to allow users to have configurable user profiles. The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms. The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists...

Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088

Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers. Original description The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you...

Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085

Updated November 22. This module enables you to collect nodes in an arbitrarily ordered list. Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loade...

Noggin - Critical - Unsupported - SA-CONTRIB-2019-080

Update - 2021-01-22 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/noggin/releases/7.x-1.2 to resolve the issue. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the...

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge...

Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks. The module doesn't sufficiently check for a site being in maintenance mode. This vulnerability is mitigated by the fact that the sit...

Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057

Metatags quick is a module that manages meta tags tags that appear in HTML's head section as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This...

Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052

This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module has a privilege escalation vulnerability when it's used in combination with Services+REST server. This vulnerability is mitigated by the fact that an attacker must...

Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL...

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure. In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration...

Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly...

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the...

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

This module adds a new formatter for the file fields, which allows any file extension to be uploaded. The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create...

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability. This...

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

This module enables the user to set custom permissions per path. The module doesn't perform sufficient checks on paths with dynamic arguments like "node/1" or "user/2", thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an acce...

Dynamic Banner - Less critical - Cross site scripting - SA-CONTRIB-2018-011

This module enables a site to display different banners via blocks on different pages depending upon specific criteria. The module doesn't sufficiently filter output of banner data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

The Mailhandler module enables you to create nodes by email. The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code. The vulnerability applies to any active mailhandler mailbox, whether or no...

Page Access - Unsupported - SA-CONTRIB-2017-075

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

Relation - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-063

This module enables you to store relationships between entities as fieldable entities. The module doesn't sufficiently check permissions when displaying related entities labels with the Relation Dummy Field module widget. This vulnerability is mitigated by the fact that the optional Relation Dumm...

Alinks - Moderately Critical -Access bypass - SA-CONTRIB-2017-058

This module enables you to automatically link keywords to specific URLs. This module has an insufficient access check on the delete route. Alinks uses the wrong permission for an access check. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with...

DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

UPDATE 2017-07-12 : This SA originally recommended version 2.6, but it was incorrectly tagged. We've updated the SA to recommend version 2.7. Sorry for the confusion! DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom. The module did...

Services - Critical - SQL Injection - SA-CONTRIB-2017-054

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it. This vulnerability is mitigated by the fact tha...