Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009

This module allows content to be edited in-place. The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...

Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

This module enables you to turn a Drupal install into the Central Authentication System CAS. It makes your database the primary location for other systems to use for authentication in a SSO environment. The module doesn't sufficiently sanitize user-supplied field values configured to be included ...

Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006

This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease. The module doesn't sufficiently validate access to...

Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...

AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004

This module integrates the AT Internet Piano Analytics service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content. This vulnerability is mitigated by the fact that it only occurs when certain uncommon...

AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003

This module integrates the AT Internet SmartTag service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag"...

Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005

This module enables Drupal sites to authenticate users via Microsoft Entra ID formerly Azure AD using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials o...

HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125

This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...

Next.js - Critical - Access bypass - SA-CONTRIB-2025-122

This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...

Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages. The module doesn't sufficiently protect its confirmation routes from cross-site request forgery CSRF, allowing the logout confirmation route to be triggered without user...

Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123

This module enables you to deploy content from one Drupal website to another. The module provides some default configuration without sufficient access control. This vulnerability is mitigated by the fact that an administrator can add some default access control permission...

Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website. These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the modu...

CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...

AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...

Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements. The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting XSS vulnerability. This vulnerability is mitigated by t...

Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124

This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...

Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests...

Drupal core - Moderately critical - Defacement - SA-CORE-2025-007

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content such as branding is rendered...

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files schemes that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This...

Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data...

Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

This module provides the ability to convert any entity form into a simple multi-step form. The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manu...

CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their...

JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106

This module enables you to store and display JSON data using optional 3rd party libraries. The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting XSS vulnerability...

Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109

This module enables you to add Umami Analytics web statistics tracking system to your website. The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should...

Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

This module integrates Plausible Analytics on a site. The module did not properly filter output in certain cases. This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment...

Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110

This module allows you to use different currencies on your website and do currency conversion. The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery CSRF attacks, potentially allowing an attacker to trick an admin into changing settin...

Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

This module allows you to specify an HTTP header name to determine the client's IP address. The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings'reverseproxy' is set to TRUE and $settings'reverseproxyaddresses' is configured. This vulnerability...

Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site. The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability. This...

API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...

Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets with entity labels like taxonomy terms are...

Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100

This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...

Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098

This module allows users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. CVSS risk score experimental 6.3 / Medium...

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

This module enables users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific...

Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder. The module doesn't sufficiently control access for adding sections in the submodule. This vulnerability is mitigated by the fact that an attacke...

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

This module enables you to provide SEO analysis and recommendations for a given URL. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

This module enables you to access an edit page for a config page. The module doesn't sufficiently check the access permissions hookENTITYTYPEaccess wasn't taken into account. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" an...

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...

COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

This module allows you to manage video media items using the COOKiES module disabling external video elements. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might...

Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format. The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover,...

File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views. The File Download module...