Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2026/05/13 12:0 a.m.15 views

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

3.7CVSS5.8AI score0.00214EPSS
Exploits0References3
Drupal
Drupal
added 2026/05/13 12:0 a.m.17 views

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no...

9.8CVSS5.8AI score0.00369EPSS
Exploits0References2
Drupal
Drupal
added 2026/04/22 12:0 a.m.23 views

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using...

6.1CVSS5.8AI score0.00196EPSS
Exploits0References2
Drupal
Drupal
added 2026/04/15 12:0 a.m.69 views

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user...

6.1CVSS5.2AI score0.00201EPSS
Exploits0References2
Drupal
Drupal
added 2026/04/15 12:0 a.m.113 views

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application...

6.6CVSS6.5AI score0.00399EPSS
Exploits0References7
Drupal
Drupal
added 2026/04/15 12:0 a.m.19 views

Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting XSS vulnerability...

6.1CVSS4.9AI score0.00238EPSS
Exploits0References7
Drupal
Drupal
added 2026/04/08 12:0 a.m.12 views

Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032

The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an tag, they may be able to insert arbitrary JavaScript. This vulnerability is mitigated by the fact that a text format that allows iframe-consent HT...

6.1CVSS5.9AI score0.00196EPSS
Exploits0References1
Drupal
Drupal
added 2026/04/01 12:0 a.m.21 views

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

This module enables you to perform SAML-protocol-based single-sign-on SSO on a Drupal site. The module doesn't sufficiently block access, leading to a authentication bypass vulnerability...

7.4CVSS5.9AI score0.00257EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/18 12:0 a.m.19 views

Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

This module provides a site administrator the ability to log users out after a specified time of inactivity. The module doesn't sufficiently protect its routes from cross-site request forgery CSRF, allowing the logout route to be triggered without user interaction...

4.3CVSS5.5AI score0.00109EPSS
Exploits0References1
Drupal
Drupal
added 2026/03/11 12:0 a.m.16 views

AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the...

7.5CVSS5.8AI score0.00232EPSS
Exploits0References1
Drupal
Drupal
added 2026/03/11 12:0 a.m.16 views

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

This module creates permissions per node content type to control access to unpublished nodes per content type. The module does not consistently control access for unpublished translated nodes...

7.5CVSS5.8AI score0.00232EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.15 views

Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration. The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting XSS...

6.1CVSS5.8AI score0.00243EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.15 views

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. A visitor who successfully logs in to their Identity Provider and ...

6.5CVSS5.8AI score0.00246EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.19 views

Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes. This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" or...

6.1CVSS5.8AI score0.00243EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.16 views

OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain...

4.2CVSS5.8AI score0.00133EPSS
Exploits0References3
Drupal
Drupal
added 2026/03/04 12:0 a.m.16 views

OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate certain fields coming fro...

4.3CVSS5.6AI score0.00162EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.23 views

File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020

This module moves files to and from private storage depending on the access of its owning entities. The module does not sufficiently incorporate the results of hookfiledownload when a custom or contrib module implements that hook leading to access bypass...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.16 views

File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021

This module moves files to and from private storage depending on the access of its owning entities. The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances. This vulnerability is mitigated by the fact th...

5.3CVSS5.8AI score0.00256EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.18 views

AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons. The module doesn't sufficiently check access on the dashboard configuration route...

6.5CVSS5.8AI score0.00243EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/25 12:0 a.m.17 views

Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017

This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers. The project has a hidden sub-module, Drupal...

5CVSS5.6AI score0.00287EPSS
Exploits0References2
Drupal
Drupal
added 2026/02/25 12:0 a.m.12 views

Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019

This module adds the favicons generated by realfavicongenerator.net to your Drupal site. The module does not filter administrator-entered text, leading to a persistent Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

4.8CVSS5.4AI score0.00185EPSS
Exploits0References2
Drupal
Drupal
added 2026/02/25 12:0 a.m.16 views

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the brows...

5.4CVSS5.8AI score0.00136EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/25 12:0 a.m.16 views

CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

This module enables you to protect web forms from automated spam by requiring users to pass a challenge. The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions. This vulnerability is mitigated...

6.5CVSS5.5AI score0.00268EPSS
Exploits0References3
Drupal
Drupal
added 2026/02/25 12:0 a.m.11 views

Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016

This module integrates with Islandora, an open-source digital asset management DAM framework. Islandora integrates with various open-source services, which can be run in a distributed environment. The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to...

5.4CVSS5.1AI score0.00176EPSS
Exploits0References2
Drupal
Drupal
added 2026/02/25 12:0 a.m.12 views

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011

This module enables you to add icons to CKEditor. The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios...

5.3CVSS5.4AI score0.00223EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/25 12:0 a.m.14 views

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

This module allows site builders to create so-called "themerule" config entities. These theme rules can render pages with different themes than the default when certain conditions match. The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enab...

4.3CVSS5.4AI score0.00098EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/25 12:0 a.m.13 views

SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018

This module enables you to perform SAML protocol-based single sign-on SSO on a Drupal site. The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting XSS vulnerability...

6.1CVSS5.2AI score0.00193EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/25 12:0 a.m.15 views

Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014

This module enables you to block bots by Firewall. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or...

4.7CVSS5.3AI score0.00171EPSS
Exploits0References2
Drupal
Drupal
added 2026/02/11 12:0 a.m.14 views

Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009

This module allows content to be edited in-place. The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

5.4CVSS5.6AI score0.00136EPSS
Exploits0References3
Drupal
Drupal
added 2026/02/11 12:0 a.m.15 views

UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule...

6.1CVSS5.4AI score0.00149EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/04 12:0 a.m.12 views

Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...

4.3CVSS5.5AI score0.00202EPSS
Exploits0References3
Drupal
Drupal
added 2026/01/28 12:0 a.m.19 views

Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

This module enables you to turn a Drupal install into the Central Authentication System CAS. It makes your database the primary location for other systems to use for authentication in a SSO environment. The module doesn't sufficiently sanitize user-supplied field values configured to be included ...

4.2CVSS5.6AI score0.00152EPSS
Exploits0References1
Drupal
Drupal
added 2026/01/28 12:0 a.m.12 views

Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006

This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease. The module doesn't sufficiently validate access to...

4.8CVSS5.6AI score0.00138EPSS
Exploits0References2
Drupal
Drupal
added 2026/01/14 12:0 a.m.12 views

AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004

This module integrates the AT Internet Piano Analytics service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

4.8CVSS5.5AI score0.00142EPSS
Exploits0References3
Drupal
Drupal
added 2026/01/14 12:0 a.m.11 views

AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003

This module integrates the AT Internet SmartTag service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag"...

6.1CVSS5.6AI score0.00149EPSS
Exploits0References2
Drupal
Drupal
added 2026/01/14 12:0 a.m.12 views

Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005

This module enables Drupal sites to authenticate users via Microsoft Entra ID formerly Azure AD using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials o...

6.5CVSS5.3AI score0.002EPSS
Exploits0References3
Drupal
Drupal
added 2026/01/14 12:0 a.m.13 views

Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content. This vulnerability is mitigated by the fact that it only occurs when certain uncommon...

5.3CVSS5.5AI score0.00197EPSS
Exploits0References4
Drupal
Drupal
added 2026/01/14 12:0 a.m.9 views

Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...

8.8CVSS5.4AI score0.00221EPSS
Exploits0References1
Drupal
Drupal
added 2025/12/17 12:0 a.m.13 views

HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

7.5CVSS5.5AI score0.00263EPSS
Exploits0References4
Drupal
Drupal
added 2025/12/10 12:0 a.m.14 views

Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125

This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...

8.1CVSS5.3AI score0.0013EPSS
Exploits0References1
Drupal
Drupal
added 2025/12/03 12:0 a.m.12 views

Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123

This module enables you to deploy content from one Drupal website to another. The module provides some default configuration without sufficient access control. This vulnerability is mitigated by the fact that an administrator can add some default access control permission...

5.3CVSS5.5AI score0.00187EPSS
Exploits0References1
Drupal
Drupal
added 2025/12/03 12:0 a.m.16 views

Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124

This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...

4.2CVSS5.3AI score0.0022EPSS
Exploits0References2
Drupal
Drupal
added 2025/12/03 12:0 a.m.14 views

Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages. The module doesn't sufficiently protect its confirmation routes from cross-site request forgery CSRF, allowing the logout confirmation route to be triggered without user...

8.1CVSS5.2AI score0.00135EPSS
Exploits0References2
Drupal
Drupal
added 2025/12/03 12:0 a.m.14 views

AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...

4.4CVSS5.2AI score0.00118EPSS
Exploits0References4
Drupal
Drupal
added 2025/12/03 12:0 a.m.12 views

Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements. The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting XSS vulnerability. This vulnerability is mitigated by t...

5.4CVSS5.2AI score0.00136EPSS
Exploits0References2
Drupal
Drupal
added 2025/12/03 12:0 a.m.13 views

Next.js - Critical - Access bypass - SA-CONTRIB-2025-122

This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...

6.1CVSS5.4AI score0.00141EPSS
Exploits0References3
Drupal
Drupal
added 2025/12/03 12:0 a.m.10 views

Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website. These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the modu...

5.4CVSS5.5AI score0.00148EPSS
Exploits0References2
Drupal
Drupal
added 2025/12/03 12:0 a.m.14 views

CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...

5.3CVSS5.6AI score0.00234EPSS
Exploits0References1
Drupal
Drupal
added 2025/11/12 12:0 a.m.11 views

Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests...

5.3CVSS5.5AI score0.00287EPSS
Exploits0References7
Drupal
Drupal
added 2025/11/12 12:0 a.m.11 views

Drupal core - Moderately critical - Defacement - SA-CORE-2025-007

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content such as branding is rendered...

4.3CVSS5.3AI score0.00198EPSS
Exploits0References7
Total number of security vulnerabilities1940