Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
364 vulnerabilities
CVE-2026-11913 (GCVE-0-2026-11913)
Vulnerability from cvelistv5 – Published: 2026-07-10 22:00 – Updated: 2026-07-10 22:00
VLAI
EPSS
VEX
Title
Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045
Summary
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Mother May I |
Affected:
*.*
(semver)
|
Date Public
2026-06-10 17:08
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/mothermayi",
"product": "Mother May I",
"repo": "https://git.drupalcode.org/project/mothermayi",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-10T17:08:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:00:08.662Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-045"
}
],
"title": "Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-11913",
"datePublished": "2026-07-10T22:00:08.662Z",
"dateReserved": "2026-06-10T16:43:04.126Z",
"dateUpdated": "2026-07-10T22:00:08.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11914 (GCVE-0-2026-11914)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:59 – Updated: 2026-07-10 21:59
VLAI
EPSS
VEX
Title
Composer - Critical - Unsupported - SA-CONTRIB-2026-046
Summary
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Date Public
2026-06-10 17:09
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/composer",
"product": "Composer",
"repo": "https://git.drupalcode.org/project/composer",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-10T17:09:45.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:59:28.008Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-046"
}
],
"title": "Composer - Critical - Unsupported - SA-CONTRIB-2026-046"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-11914",
"datePublished": "2026-07-10T21:59:28.008Z",
"dateReserved": "2026-06-10T16:43:05.303Z",
"dateUpdated": "2026-07-10T21:59:28.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11915 (GCVE-0-2026-11915)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:58 – Updated: 2026-07-10 21:58
VLAI
EPSS
VEX
Title
Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047
Summary
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Brute force attack protection |
Affected:
*.*
(semver)
|
Date Public
2026-06-10 17:10
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/bfap_sb",
"product": "Brute force attack protection",
"repo": "https://git.drupalcode.org/project/bfap_sb",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-10T17:10:26.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:58:18.624Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-047"
}
],
"title": "Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-11915",
"datePublished": "2026-07-10T21:58:18.624Z",
"dateReserved": "2026-06-10T16:43:06.497Z",
"dateUpdated": "2026-07-10T21:58:18.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15087 (GCVE-0-2026-15087)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:57 – Updated: 2026-07-10 21:57
VLAI
EPSS
VEX
Title
Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078
Summary
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Clean RESTful |
Affected:
*.*
(semver)
|
Date Public
2026-07-08 17:19
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/clean_node_api",
"product": "Clean RESTful",
"repo": "https://git.drupalcode.org/project/clean_node_api",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T17:19:42.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:57:28.467Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-078"
}
],
"title": "Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15087",
"datePublished": "2026-07-10T21:57:28.467Z",
"dateReserved": "2026-07-08T15:45:01.154Z",
"dateUpdated": "2026-07-10T21:57:28.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15086 (GCVE-0-2026-15086)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:57 – Updated: 2026-07-10 21:57
VLAI
EPSS
VEX
Title
Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077
Summary
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Raw Formatter [Meta Tag Formatter] |
Affected:
*.*
(semver)
|
Date Public
2026-07-08 17:19
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/raw_formatter",
"product": "Raw Formatter [Meta Tag Formatter]",
"repo": "https://git.drupalcode.org/project/raw_formatter",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T17:19:33.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:57:19.321Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-077"
}
],
"title": "Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15086",
"datePublished": "2026-07-10T21:57:19.321Z",
"dateReserved": "2026-07-08T15:45:00.086Z",
"dateUpdated": "2026-07-10T21:57:19.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15089 (GCVE-0-2026-15089)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:54 – Updated: 2026-07-10 21:57
VLAI
EPSS
VEX
Title
Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079
Summary
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Commerce guest registration |
Affected:
*.*
(semver)
|
Date Public
2026-07-08 17:20
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/commerce_guest_registration",
"product": "Commerce guest registration",
"repo": "https://git.drupalcode.org/project/commerce_guest_registration",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T17:20:24.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:57:34.124Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-079"
}
],
"title": "Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15089",
"datePublished": "2026-07-10T21:54:42.802Z",
"dateReserved": "2026-07-08T15:45:03.255Z",
"dateUpdated": "2026-07-10T21:57:34.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55808 (GCVE-0-2026-55808)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:58
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cantina_security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bj\u00c3\u00b6rn Brala (bbrala)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kim Pepper (kim.pepper)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:58:02.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:43.600Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-009"
}
],
"title": "Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55808",
"datePublished": "2026-07-10T21:46:43.600Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:43.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55807 (GCVE-0-2026-55807)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008
Summary
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:57
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (0xhamy)"
},
{
"lang": "en",
"type": "finder",
"value": "assaf alassaf (ama62)"
},
{
"lang": "en",
"type": "finder",
"value": "Albert Skibinski (askibinski)"
},
{
"lang": "en",
"type": "finder",
"value": "Jon Minder (ayalon)"
},
{
"lang": "en",
"type": "finder",
"value": "Lautaro Casanova (betah4k)"
},
{
"lang": "en",
"type": "finder",
"value": "Gabe Sullice (gabesullice)"
},
{
"lang": "en",
"type": "finder",
"value": "John Morahan (john morahan)"
},
{
"lang": "en",
"type": "finder",
"value": "Michael Winser (michaelwinser)"
},
{
"lang": "en",
"type": "finder",
"value": "nbanderson"
},
{
"lang": "en",
"type": "finder",
"value": "offensive-ai"
},
{
"lang": "en",
"type": "finder",
"value": "Francesco Placella (plach)"
},
{
"lang": "en",
"type": "finder",
"value": "quynh ho (qquynh)"
},
{
"lang": "en",
"type": "finder",
"value": "Himanshu Anand (unknownhad)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adam G-H (phenaproxima)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sean Blommaert (seanb)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Mori Sugimoto (dokumori)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:57:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:40.786Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-008"
}
],
"title": "Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55807",
"datePublished": "2026-07-10T21:46:40.786Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:40.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55806 (GCVE-0-2026-55806)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:57
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Melih Acikoz"
},
{
"lang": "en",
"type": "finder",
"value": "Michael Winser (michaelwinser)"
},
{
"lang": "en",
"type": "finder",
"value": "Willem Drupal enthousiast (willempje2)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:57:37.000Z",
"descriptions": [
{
"lang": "en",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:39.920Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-007"
}
],
"title": "Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55806",
"datePublished": "2026-07-10T21:46:39.920Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:39.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55804 (GCVE-0-2026-55804)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:57
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mohit Aghera (mohit_aghera)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:57:02.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:39.054Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-006"
}
],
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55804",
"datePublished": "2026-07-10T21:46:39.054Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:39.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55803 (GCVE-0-2026-55803)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Critical - PHP object injection - SA-CORE-2026-005
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:56
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bj\u00c3\u00b6rn Brala (bbrala)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "David Strauss (david strauss)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tim Hestenes Lehnen (hestenet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:56:50.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:38.051Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-005"
}
],
"title": "Drupal core - Critical - PHP object injection - SA-CORE-2026-005"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55803",
"datePublished": "2026-07-10T21:46:38.051Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:38.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15085 (GCVE-0-2026-15085)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | AI SEO/GEO Analyzer |
Affected:
0.0.0 , < 1.1.3
(semver)
|
Date Public
2026-07-08 17:18
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ai_seo",
"product": "AI SEO/GEO Analyzer",
"repo": "https://git.drupalcode.org/project/ai_seo",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juhani V\u00c3\u00a4\u00c3\u00a4t\u00c3\u00a4j\u00c3\u00a4 (j-vee)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-07-08T17:18:39.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:35.632Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-076"
}
],
"title": "AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15085",
"datePublished": "2026-07-10T21:46:35.632Z",
"dateReserved": "2026-07-08T15:44:59.219Z",
"dateUpdated": "2026-07-10T21:46:35.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15084 (GCVE-0-2026-15084)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | UI Patterns (SDC in Drupal UI) |
Affected:
2.0.0 , < 2.0.17
(semver)
|
Date Public
2026-07-08 17:17
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ui_patterns",
"product": "UI Patterns (SDC in Drupal UI)",
"repo": "https://git.drupalcode.org/project/ui_patterns",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.17",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Herv\u00c3\u00a9 Donner (herved)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Florent Torregrosa (grimreaper)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Herv\u00c3\u00a9 Donner (herved)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mikael Meulle (just_like_good_vibes)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Dureau (pdureau)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-08T17:17:41.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:34.771Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-075"
}
],
"title": "UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15084",
"datePublished": "2026-07-10T21:46:34.771Z",
"dateReserved": "2026-07-08T15:44:58.126Z",
"dateUpdated": "2026-07-10T21:46:34.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15083 (GCVE-0-2026-15083)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | ECA: Event - Condition - Action |
Affected:
0.0.0 , < 2.1.20
(semver)
Affected: 3.0.0 , < 3.0.12 (semver) Affected: 3.1.0 , < 3.1.4 (semver) |
Date Public
2026-07-08 17:16
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/eca",
"product": "ECA: Event - Condition - Action",
"repo": "https://git.drupalcode.org/project/eca",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.20",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.0.12",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.4",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Changhai Qi (qichanghai)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-08T17:16:32.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:33.886Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-074"
}
],
"title": "ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15083",
"datePublished": "2026-07-10T21:46:33.886Z",
"dateReserved": "2026-07-08T15:44:57.178Z",
"dateUpdated": "2026-07-10T21:46:33.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15082 (GCVE-0-2026-15082)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Siteimprove Analytics |
Affected:
0.0.0 , < 2.0.1
(semver)
|
Date Public
2026-07-08 17:15
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/siteimprove_analytics",
"product": "Siteimprove Analytics",
"repo": "https://git.drupalcode.org/project/siteimprove_analytics",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bohdan Artemchuk (bohart)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andriy Parkhomiuk (grask0)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-08T17:15:18.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:22.143Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-073"
}
],
"title": "Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15082",
"datePublished": "2026-07-10T21:46:22.143Z",
"dateReserved": "2026-07-08T15:44:56.251Z",
"dateUpdated": "2026-07-10T21:46:22.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15081 (GCVE-0-2026-15081)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0.
Severity
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Location Selector |
Affected:
0.0.0 , < 1.3.0
(semver)
|
Date Public
2026-07-08 17:14
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/location_selector",
"product": "Location Selector",
"repo": "https://git.drupalcode.org/project/location_selector",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "handkerchief"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-07-08T17:14:27.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:21.263Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-072"
}
],
"title": "Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15081",
"datePublished": "2026-07-10T21:46:21.263Z",
"dateReserved": "2026-07-08T15:44:55.221Z",
"dateUpdated": "2026-07-10T21:46:21.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15080 (GCVE-0-2026-15080)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Ray Enterprise Translation |
Affected:
0.0.0 , < 4.0.4
(semver)
Affected: 4.1.0 , < 4.1.4 (semver) Affected: 11.0.0 , < 11.0.4 (semver) |
Date Public
2026-07-08 17:13
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/lingotek",
"product": "Ray Enterprise Translation",
"repo": "https://git.drupalcode.org/project/lingotek",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "4.1.4",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "11.0.4",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Naresh Bavaskar (naresh_bavaskar)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-08T17:13:44.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:20.380Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-071"
}
],
"title": "Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15080",
"datePublished": "2026-07-10T21:46:20.380Z",
"dateReserved": "2026-07-08T15:44:54.212Z",
"dateUpdated": "2026-07-10T21:46:20.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15079 (GCVE-0-2026-15079)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4.
Severity
No CVSS data available.
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Login Disable |
Affected:
0.0.0 , < 2.1.4
(semver)
|
Date Public
2026-07-08 17:12
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/login_disable",
"product": "Login Disable",
"repo": "https://git.drupalcode.org/project/login_disable",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Boris Doesborg (batigolix)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-08T17:12:32.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:19.486Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-070"
}
],
"title": "Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15079",
"datePublished": "2026-07-10T21:46:19.486Z",
"dateReserved": "2026-07-08T15:44:53.333Z",
"dateUpdated": "2026-07-10T21:46:19.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58591 (GCVE-0-2026-58591)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
Date Public
2026-07-01 17:24
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/colorbox",
"product": "Colorbox",
"repo": "https://git.drupalcode.org/project/colorbox",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Paul McKibben (paulmckibben)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-01T17:24:05.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:18.632Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-069"
}
],
"title": "Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58591",
"datePublished": "2026-07-10T21:46:18.632Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:18.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58590 (GCVE-0-2026-58590)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
Summary
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
Date Public
2026-07-01 17:22
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/flowdrop",
"product": "FlowDrop",
"repo": "https://git.drupalcode.org/project/flowdrop",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aincient Labs (aincient labs)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shibin Das (d34dman)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-01T17:22:46.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:17.722Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-068"
}
],
"title": "FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58590",
"datePublished": "2026-07-10T21:46:17.722Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:17.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58589 (GCVE-0-2026-58589)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
Summary
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
Date Public
2026-07-01 17:21
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/flowdrop",
"product": "FlowDrop",
"repo": "https://git.drupalcode.org/project/flowdrop",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aincient Labs (aincient labs)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shibin Das (d34dman)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-01T17:21:57.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:16.889Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-067"
}
],
"title": "FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58589",
"datePublished": "2026-07-10T21:46:16.889Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:16.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58588 (GCVE-0-2026-58588)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.4.2
(semver)
Affected: 1.5.0 , < 1.5.2 (semver) Affected: 1.6.0 , < 1.6.1 (semver) Affected: 1.7.0 , < 1.7.1 (semver) |
Date Public
2026-07-01 17:21
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.5.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
},
{
"lessThan": "1.6.1",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
},
{
"lessThan": "1.7.1",
"status": "affected",
"version": "1.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "AKHIL BABU (akhil babu)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-07-01T17:21:09.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:15.991Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-066"
}
],
"title": "Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58588",
"datePublished": "2026-07-10T21:46:15.991Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:15.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58587 (GCVE-0-2026-58587)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.4.2
(semver)
Affected: 1.5.0 , < 1.5.2 (semver) Affected: 1.6.0 , < 1.6.1 (semver) Affected: 1.7.0 , < 1.7.1 (semver) |
Date Public
2026-07-01 17:20
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.5.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
},
{
"lessThan": "1.6.1",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
},
{
"lessThan": "1.7.1",
"status": "affected",
"version": "1.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AKHIL BABU (akhil babu)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Bronstein (effulgentsia)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-07-01T17:20:16.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:15.116Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-065"
}
],
"title": "Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58587",
"datePublished": "2026-07-10T21:46:15.116Z",
"dateReserved": "2026-07-01T17:08:05.252Z",
"dateUpdated": "2026-07-10T21:46:15.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13244 (GCVE-0-2026-13244)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Tealium iQ Tag Management |
Affected:
0.0.0 , < 2.4.0
(semver)
|
Date Public
2026-06-26 15:27
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tealiumiq",
"product": "Tealium iQ Tag Management",
"repo": "https://git.drupalcode.org/project/tealiumiq",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel Schiavone (schiavone)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-26T15:27:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:14.260Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-064"
}
],
"title": "Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13244",
"datePublished": "2026-07-10T21:46:14.260Z",
"dateReserved": "2026-06-24T18:00:17.008Z",
"dateUpdated": "2026-07-10T21:46:14.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13243 (GCVE-0-2026-13243)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Salesforce Suite |
Affected:
0.0.0 , < 5.1.3
(semver)
|
Date Public
2026-06-24 18:48
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/salesforce",
"product": "Salesforce Suite",
"repo": "https://git.drupalcode.org/project/salesforce",
"vendor": "Drupal",
"versions": [
{
"lessThan": "5.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammedali Aliyev (swordmein)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aaron Bauman (aaronbauman)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-06-24T18:48:15.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:55.591Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-063"
}
],
"title": "Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13243",
"datePublished": "2026-07-10T21:44:55.591Z",
"dateReserved": "2026-06-24T18:00:16.032Z",
"dateUpdated": "2026-07-10T21:44:55.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13242 (GCVE-0-2026-13242)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0.
Severity
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Geolocation Field |
Affected:
0.0.0 , < 3.15.0
(semver)
|
Date Public
2026-06-24 18:46
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/geolocation",
"product": "Geolocation Field",
"repo": "https://git.drupalcode.org/project/geolocation",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Adamski (christianadamski)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-24T18:46:12.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:54.721Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-062"
}
],
"title": "Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13242",
"datePublished": "2026-07-10T21:44:54.721Z",
"dateReserved": "2026-06-24T18:00:15.050Z",
"dateUpdated": "2026-07-10T21:44:54.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13241 (GCVE-0-2026-13241)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
Summary
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Paragraphs |
Affected:
0.0.0 , < 1.21.0
(semver)
|
Date Public
2026-06-24 18:43
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/paragraphs",
"product": "Paragraphs",
"repo": "https://git.drupalcode.org/project/paragraphs",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.21.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mustafa Ahmed (mustafa007)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-24T18:43:16.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:53.879Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-061"
}
],
"title": "Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13241",
"datePublished": "2026-07-10T21:44:53.879Z",
"dateReserved": "2026-06-24T18:00:14.145Z",
"dateUpdated": "2026-07-10T21:44:53.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13240 (GCVE-0-2026-13240)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
Summary
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Paragraphs |
Affected:
0.0.0 , < 1.21.0
(semver)
|
Date Public
2026-06-24 18:42
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/paragraphs",
"product": "Paragraphs",
"repo": "https://git.drupalcode.org/project/paragraphs",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.21.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-06-24T18:42:30.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:53.011Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-060"
}
],
"title": "Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13240",
"datePublished": "2026-07-10T21:44:53.011Z",
"dateReserved": "2026-06-24T18:00:13.250Z",
"dateUpdated": "2026-07-10T21:44:53.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13239 (GCVE-0-2026-13239)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
WissKI - Critical - Access bypass - SA-CONTRIB-2026-059
Summary
Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Date Public
2026-06-24 18:40
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/wisski",
"product": "WissKI",
"repo": "https://git.drupalcode.org/project/wisski",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "knurg"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-24T18:40:57.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:52.141Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-059"
}
],
"title": "WissKI - Critical - Access bypass - SA-CONTRIB-2026-059"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13239",
"datePublished": "2026-07-10T21:44:52.141Z",
"dateReserved": "2026-06-24T18:00:12.360Z",
"dateUpdated": "2026-07-10T21:44:52.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13238 (GCVE-0-2026-13238)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058
Summary
Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Commerce Realex / Global Payments |
Affected:
0.0.0 , < 3.0.2
(semver)
|
Date Public
2026-06-24 18:40
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/commerce_realex",
"product": "Commerce Realex / Global Payments",
"repo": "https://git.drupalcode.org/project/commerce_realex",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bill Seremetis (bserem)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Burke (alanburke)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bill Seremetis (bserem)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jaime Seuma (jaims-dev)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-24T18:40:07.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:51.275Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-058"
}
],
"title": "Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13238",
"datePublished": "2026-07-10T21:44:51.275Z",
"dateReserved": "2026-06-24T18:00:11.427Z",
"dateUpdated": "2026-07-10T21:44:51.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}