1940 matches found
Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034
Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...
Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037
This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no...
Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using...
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user...
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application...
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting XSS vulnerability...
Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032
The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an tag, they may be able to insert arbitrary JavaScript. This vulnerability is mitigated by the fact that a text format that allows iframe-consent HT...
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031
This module enables you to perform SAML-protocol-based single-sign-on SSO on a Drupal site. The module doesn't sufficiently block access, leading to a authentication bypass vulnerability...
Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
This module provides a site administrator the ability to log users out after a specified time of inactivity. The module doesn't sufficiently protect its routes from cross-site request forgery CSRF, allowing the logout route to be triggered without user interaction...
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the...
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
This module creates permissions per node content type to control access to unpublished nodes per content type. The module does not consistently control access for unpublished translated nodes...
Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration. The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting XSS...
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. A visitor who successfully logs in to their Identity Provider and ...
Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes. This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" or...
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain...
OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate certain fields coming fro...
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
This module moves files to and from private storage depending on the access of its owning entities. The module does not sufficiently incorporate the results of hookfiledownload when a custom or contrib module implements that hook leading to access bypass...
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
This module moves files to and from private storage depending on the access of its owning entities. The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances. This vulnerability is mitigated by the fact th...
AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons. The module doesn't sufficiently check access on the dashboard configuration route...
Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017
This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers. The project has a hidden sub-module, Drupal...
Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019
This module adds the favicons generated by realfavicongenerator.net to your Drupal site. The module does not filter administrator-entered text, leading to a persistent Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013
This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the brows...
CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
This module enables you to protect web forms from automated spam by requiring users to pass a challenge. The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions. This vulnerability is mitigated...
Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016
This module integrates with Islandora, an open-source digital asset management DAM framework. Islandora integrates with various open-source services, which can be run in a distributed environment. The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to...
Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
This module enables you to add icons to CKEditor. The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios...
Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
This module allows site builders to create so-called "themerule" config entities. These theme rules can render pages with different themes than the default when certain conditions match. The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enab...
SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
This module enables you to perform SAML protocol-based single sign-on SSO on a Drupal site. The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting XSS vulnerability...
Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014
This module enables you to block bots by Firewall. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or...
Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009
This module allows content to be edited in-place. The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule...
Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...
Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007
This module enables you to turn a Drupal install into the Central Authentication System CAS. It makes your database the primary location for other systems to use for authentication in a SSO environment. The module doesn't sufficiently sanitize user-supplied field values configured to be included ...
Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease. The module doesn't sufficiently validate access to...
AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004
This module integrates the AT Internet Piano Analytics service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...
AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003
This module integrates the AT Internet SmartTag service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag"...
Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
This module enables Drupal sites to authenticate users via Microsoft Entra ID formerly Azure AD using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials o...
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content. This vulnerability is mitigated by the fact that it only occurs when certain uncommon...
Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...
HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126
Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...
Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125
This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...
Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123
This module enables you to deploy content from one Drupal website to another. The module provides some default configuration without sufficient access control. This vulnerability is mitigated by the fact that an administrator can add some default access control permission...
Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124
This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...
Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120
This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages. The module doesn't sufficiently protect its confirmation routes from cross-site request forgery CSRF, allowing the logout confirmation route to be triggered without user...
AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119
This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...
Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121
This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements. The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting XSS vulnerability. This vulnerability is mitigated by t...
Next.js - Critical - Access bypass - SA-CONTRIB-2025-122
This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...
Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117
This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website. These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the modu...
CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...
Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests...
Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content such as branding is rendered...