Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 6 days ago7 views

Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9AI score0.00236EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago5 views

Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070

The Login Disable module prevents users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page. The module doesn't sufficiently protect the disabled login form from brute force attacks. Depending on the length of the key this could allow an...

5.8AI score0.00213EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago5 views

ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074

The Events, Conditions, Actions ECA module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models. The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure. This vulnerability is...

5.9AI score0.002EPSS
Exploits0References1
Drupal
Drupal
added 6 days ago5 views

Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9AI score0.00236EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago7 views

Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072

The Location Selector module provides a Views filter for selecting location values. One of the provided Views filters does not sufficiently sanitize values that may come from user input, resulting in a SQL injection vulnerability. This vulnerability is mitigated by the fact that a View must exist...

6AI score0.00194EPSS
Exploits0References1
Drupal
Drupal
added 6 days ago5 views

Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073

The module doesn't sufficiently sanitize the Siteimprove Analytics identification code when inserting the JavaScript tracking code; this could be exploited to achieve Cross-Site Scripting XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

6AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago4 views

Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9AI score0.00236EPSS
Exploits0References3
Drupal
Drupal
added 6 days ago7 views

Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

The Lingotek Ray Enterprise Translation provides multilingual site management. The module fails to protect several state-changing administrative routes against Cross Site Request Forgery attacks. An attacker could trick a privileged user into visiting a crafted page that triggers actions such as...

5.9AI score0.00119EPSS
Exploits0References3
Drupal
Drupal
added 6 days ago5 views

UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075

This module enables you to use Single Directory Components in site building views, field formatters, blocks, layouts and it improves the Developer Experience DX with SDC. The module doesn't sufficiently sanitize the markup passed to components under certain scenarios. This vulnerability is...

5.8AI score0.00254EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago6 views

AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076

The AI SEO/GEO Analyzer module generates SEO/GEO analysis reports by sending content of an entity including its comments to an LLM, then converts the model's Markdown response to HTML and stores it for display to privileged users. The generated HTML was rendered without passing through Drupal's...

6AI score0.00254EPSS
Exploits0References2
Drupal
Drupal
added 2026/07/01 12:0 a.m.5 views

Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065

The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat. These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting XSS...

5.8AI score0.00204EPSS
Exploits0References5
Drupal
Drupal
added 2026/07/01 12:0 a.m.7 views

FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067

This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution incurring LLM spend and tool side effects or send messages into other...

6.1AI score0.0018EPSS
Exploits0References2
Drupal
Drupal
added 2026/07/01 12:0 a.m.7 views

Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066

The Canvas module allow you to upload image files via a custom API. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the uploaded file...

5.8AI score0.00204EPSS
Exploits0References5
Drupal
Drupal
added 2026/07/01 12:0 a.m.6 views

FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068

This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows that were not intended by the use...

6.1AI score0.0018EPSS
Exploits0References2
Drupal
Drupal
added 2026/07/01 12:0 a.m.9 views

Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069

The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page. The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios. This vulnerability is mitigated by the fact that an attacker must have a...

6AI score0.00204EPSS
Exploits0References3
Drupal
Drupal
added 2026/06/26 12:0 a.m.11 views

Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064

The Tealium iQ Tag Management module provides Drupal integration with Tealium iQ. tealiumiq stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized. This...

5.8AI score0.00417EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.8 views

Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051

This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses. The module doesn't sufficiently sanitize several administrator-configured response messages the "Yes response", "No...

5.8AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.11 views

Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062

Geolocation modules adds a field to store coordinates and provides supporting plumbing for views and other modules. One of the provided views filters does not sufficiently sanitize values if exposed to user input resulting in a SQL injection vulnerability. This vulnerability is mitigated by the...

5.9AI score0.00157EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057

This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. Under certain circumstances, the agent inherits deterministic parameters when invoking the same tool in one request, which can lead to information disclosure...

5.8AI score0.00142EPSS
Exploits0References4
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

WissKI - Critical - Access bypass - SA-CONTRIB-2026-059

The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer. It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass. This vulnerability...

5.9AI score0.00132EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.11 views

Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060

The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to unpublished library items in lists. This vulnerability is mitigated by the fact the paragraphslibrary module must be in use, and that an attacker must have...

5.9AI score0.00132EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061

The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to direct child paragraphs of library items through API endpoints. This vulnerability is mitigated by the fact the paragraphslibrary module must be in use and...

5.8AI score0.00132EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

OpenAI Provider - Moderately critical - Server-side Request Forgery - SA-CONTRIB-2026-053

This module enables you to use OpenAI as a provider for the AI module. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have the access to change the host url...

5.9AI score0.00142EPSS
Exploits0References3
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063

The Salesforce Suite of modules integrates Drupal with Salesforce. The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account. This vulnerabili...

5.7AI score0.00097EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055

This module enables you to utilize an agent to use Drupal core actions tools with bypassed access. Certain Drupal core actions, exposed as agent tools did not have correct access validation, and some core actions were missing associated access-level definitions. This vulnerability is mitigated by...

5.8AI score0.00142EPSS
Exploits0References4
Drupal
Drupal
added 2026/06/24 12:0 a.m.8 views

AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056

This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. The module does not sufficiently check the required permissions when a tool loads content entities. This vulnerability is mitigated by the fact that an agent must be configured to use the affected...

5.9AI score0.00142EPSS
Exploits0References4
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058

This module enables you to take payments through the Global Payments / Realex Hosted Payment Page HPP, either via a lightbox iframe or via a full-page redirect. When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment...

5.9AI score0.0018EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.8 views

Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052

This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote. The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission. This...

5.8AI score0.00142EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054

The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secr...

5.9AI score0.00161EPSS
Exploits0References4
Drupal
Drupal
added 2026/06/17 12:0 a.m.10 views

Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis. formatterfield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can...

5.9AI score0.00173EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/17 12:0 a.m.9 views

Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049

The Flag attendance field module gives you the ability to add attendance by depending on Flag module. flagattendancefield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when th...

5.4AI score0.00173EPSS
Exploits0References3
Drupal
Drupal
added 2026/06/17 12:0 a.m.9 views

Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library. The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection...

5.4AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/17 12:0 a.m.20 views

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain...

5.4AI score0.00161EPSS
Exploits0References9
Drupal
Drupal
added 2026/06/17 12:0 a.m.10 views

Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application...

6.6AI score0.00161EPSS
Exploits0References7
Drupal
Drupal
added 2026/06/17 12:0 a.m.11 views

Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007

Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal clearing the caches and rebuilding the container when the site is in an unexpected condition. This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cac...

5.2AI score0.00133EPSS
Exploits0References7
Drupal
Drupal
added 2026/06/17 12:0 a.m.10 views

Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery. The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL...

5.3AI score0.00133EPSS
Exploits0References8
Drupal
Drupal
added 2026/06/17 12:0 a.m.21 views

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the...

4.8AI score0.0015EPSS
Exploits0References7
Drupal
Drupal
added 2026/06/10 12:0 a.m.14 views

Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets. The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability...

5.5AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/10 12:0 a.m.14 views

Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality. The "Read from a file" feature implemented by the fileexample submodule can be used to expose any file that PHP can access. Therefore, the fileexample...

5.5AI score0.00142EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/10 12:0 a.m.9 views

Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.2AI score0.00153EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/10 12:0 a.m.14 views

Composer - Critical - Unsupported - SA-CONTRIB-2026-046

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...

5.3AI score0.00153EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/10 12:0 a.m.15 views

Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.2AI score0.00153EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.15 views

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview. The module doesn't sufficiently restrict access to a view of Service Contacts at which...

5.8AI score0.00142EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.15 views

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...

5.9AI score
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.18 views

Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting XSS. This vulnerability is mitigated by the fact that it only affects installations with Checkout commercecheckout enabled, and the "Comments"...

5.8AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.17 views

Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042

This module provides spam protection using the CleanTalk cloud service. The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The cleantalkdie and ctdie functions output the CleanTalk API response message directly into HTML without proper sanitizatio...

5.9AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/05/27 12:0 a.m.24 views

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...

6AI score0.00161EPSS
Exploits0References1
Drupal
Drupal
added 2026/05/20 12:0 a.m.20 views

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL...

9.8CVSS6.2AI score0.84631EPSS
Exploits14References12
Drupal
Drupal
added 2026/05/13 12:0 a.m.14 views

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Drupal
Drupal
added 2026/05/13 12:0 a.m.15 views

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

The GTranslate module provides a language switcher widget for Drupal sites. The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to poi...

2.7CVSS5.8AI score0.00236EPSS
Exploits0References2
Total number of security vulnerabilities1940