1940 matches found
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data...
Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files schemes that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This...
Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115
The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...
Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116
This module provides the ability to convert any entity form into a simple multi-step form. The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114
This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...
CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112
CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manu...
Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108
This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their...
Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109
This module enables you to add Umami Analytics web statistics tracking system to your website. The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should...
Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110
This module allows you to use different currencies on your website and do currency conversion. The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery CSRF attacks, potentially allowing an attacker to trick an admin into changing settin...
JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106
This module enables you to store and display JSON data using optional 3rd party libraries. The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting XSS vulnerability...
Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107
This module integrates Plausible Analytics on a site. The module did not properly filter output in certain cases. This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment...
Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111
This module allows you to specify an HTTP header name to determine the client's IP address. The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings'reverseproxy' is set to TRUE and $settings'reverseproxyaddresses' is configured. This vulnerability...
Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105
This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site. The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability. This...
Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098
This module allows users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. CVSS risk score experimental 6.3 / Medium...
Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100
This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...
Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets with entity labels like taxonomy terms are...
Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...
API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097
The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder. The module doesn't sufficiently control access for adding sections in the submodule. This vulnerability is mitigated by the fact that an attacke...
Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
This module enables users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific...
AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095
This module enables you to provide SEO analysis and recommendations for a given URL. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...
Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093
This module enables you to access an edit page for a config page. The module doesn't sufficiently check the access permissions hookENTITYTYPEaccess wasn't taken into account. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" an...
COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092
This module allows you to manage video media items using the COOKiES module disabling external video elements. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might...
File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089
The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views. The File Download module...
Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091
This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like. The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack. This...
Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090
This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format. The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover,...
Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088
This module enables users to login by email address with the minimal configurations. The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an...
Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087
This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...
Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086
This module enables you to use configpages as a content entity. The module doesn't check permission or entity access before rendering configpages content...
Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085
This module enables you to allow and/or require a second authentication method in addition to password authentication. The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. This vulnerability is mitigated by the fact...
GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078
GLightbox module is a pure Javascript lightbox for CKEditor. The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079
Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks. Users can be tricked into accepting or rejecting these...
Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077
This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to...
CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081
The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor. The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading...
Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080
Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting XSS attacks. This...
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082
The module enables you to add second-factor authentication on top of the default Drupal login. The module does not sufficiently ensure that known authorization routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...
Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083
Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines. The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting XSS attack vector. This vulnerability is mitigated ...
Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084
Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing...
Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070
This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons. This module has a permission of "view booking" and "view booking contact" which allows you to...
Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071
The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be...
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076
The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, thi...
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075
This module provides a format filter, which allows you to "disable" certain HTML elements e.g. remove their src attribute specified by the user. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attribute...
EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072
This module addresses the General Data Protection Regulation GDPR and the EU Directive on Privacy and Electronic Communications. The module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page. As a result, an attacker could injec...
Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073
The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability is...
etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074
The module adds the etracker web statistics tracking system to your website. The cookiesetracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users. A potential...
Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069
This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view. The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting XSS attacks when tags or scripts are...