Search
Find a vulnerability
Search criteria
1526 vulnerabilities by Drupal
CVE-2026-15089 (GCVE-0-2026-15089)
Vulnerability from nvd – Published: 2026-07-10 21:54 – Updated: 2026-07-10 21:57
VLAI
EPSS
VEX
Title
Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079
Summary
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Commerce guest registration |
Affected:
*.*
(semver)
|
Date Public
2026-07-08 17:20
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/commerce_guest_registration",
"product": "Commerce guest registration",
"repo": "https://git.drupalcode.org/project/commerce_guest_registration",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T17:20:24.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:57:34.124Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-079"
}
],
"title": "Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15089",
"datePublished": "2026-07-10T21:54:42.802Z",
"dateReserved": "2026-07-08T15:45:03.255Z",
"dateUpdated": "2026-07-10T21:57:34.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15087 (GCVE-0-2026-15087)
Vulnerability from nvd – Published: 2026-07-10 21:57 – Updated: 2026-07-10 21:57
VLAI
EPSS
VEX
Title
Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078
Summary
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Clean RESTful |
Affected:
*.*
(semver)
|
Date Public
2026-07-08 17:19
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/clean_node_api",
"product": "Clean RESTful",
"repo": "https://git.drupalcode.org/project/clean_node_api",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T17:19:42.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:57:28.467Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-078"
}
],
"title": "Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15087",
"datePublished": "2026-07-10T21:57:28.467Z",
"dateReserved": "2026-07-08T15:45:01.154Z",
"dateUpdated": "2026-07-10T21:57:28.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15086 (GCVE-0-2026-15086)
Vulnerability from nvd – Published: 2026-07-10 21:57 – Updated: 2026-07-10 21:57
VLAI
EPSS
VEX
Title
Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077
Summary
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Raw Formatter [Meta Tag Formatter] |
Affected:
*.*
(semver)
|
Date Public
2026-07-08 17:19
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/raw_formatter",
"product": "Raw Formatter [Meta Tag Formatter]",
"repo": "https://git.drupalcode.org/project/raw_formatter",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-07-08T17:19:33.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:57:19.321Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-077"
}
],
"title": "Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15086",
"datePublished": "2026-07-10T21:57:19.321Z",
"dateReserved": "2026-07-08T15:45:00.086Z",
"dateUpdated": "2026-07-10T21:57:19.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11915 (GCVE-0-2026-11915)
Vulnerability from nvd – Published: 2026-07-10 21:58 – Updated: 2026-07-10 21:58
VLAI
EPSS
VEX
Title
Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047
Summary
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Brute force attack protection |
Affected:
*.*
(semver)
|
Date Public
2026-06-10 17:10
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/bfap_sb",
"product": "Brute force attack protection",
"repo": "https://git.drupalcode.org/project/bfap_sb",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-10T17:10:26.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:58:18.624Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-047"
}
],
"title": "Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-11915",
"datePublished": "2026-07-10T21:58:18.624Z",
"dateReserved": "2026-06-10T16:43:06.497Z",
"dateUpdated": "2026-07-10T21:58:18.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11914 (GCVE-0-2026-11914)
Vulnerability from nvd – Published: 2026-07-10 21:59 – Updated: 2026-07-10 21:59
VLAI
EPSS
VEX
Title
Composer - Critical - Unsupported - SA-CONTRIB-2026-046
Summary
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Date Public
2026-06-10 17:09
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/composer",
"product": "Composer",
"repo": "https://git.drupalcode.org/project/composer",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-10T17:09:45.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:59:28.008Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-046"
}
],
"title": "Composer - Critical - Unsupported - SA-CONTRIB-2026-046"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-11914",
"datePublished": "2026-07-10T21:59:28.008Z",
"dateReserved": "2026-06-10T16:43:05.303Z",
"dateUpdated": "2026-07-10T21:59:28.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11913 (GCVE-0-2026-11913)
Vulnerability from nvd – Published: 2026-07-10 22:00 – Updated: 2026-07-10 22:00
VLAI
EPSS
VEX
Title
Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045
Summary
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Mother May I |
Affected:
*.*
(semver)
|
Date Public
2026-06-10 17:08
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/mothermayi",
"product": "Mother May I",
"repo": "https://git.drupalcode.org/project/mothermayi",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-06-10T17:08:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T22:00:08.662Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-045"
}
],
"title": "Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-11913",
"datePublished": "2026-07-10T22:00:08.662Z",
"dateReserved": "2026-06-10T16:43:04.126Z",
"dateUpdated": "2026-07-10T22:00:08.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58591 (GCVE-0-2026-58591)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
Date Public
2026-07-01 17:24
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/colorbox",
"product": "Colorbox",
"repo": "https://git.drupalcode.org/project/colorbox",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Paul McKibben (paulmckibben)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-01T17:24:05.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:18.632Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-069"
}
],
"title": "Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58591",
"datePublished": "2026-07-10T21:46:18.632Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:18.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58590 (GCVE-0-2026-58590)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
Summary
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
Date Public
2026-07-01 17:22
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/flowdrop",
"product": "FlowDrop",
"repo": "https://git.drupalcode.org/project/flowdrop",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aincient Labs (aincient labs)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shibin Das (d34dman)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-01T17:22:46.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:17.722Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-068"
}
],
"title": "FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58590",
"datePublished": "2026-07-10T21:46:17.722Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:17.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58589 (GCVE-0-2026-58589)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
Summary
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
Date Public
2026-07-01 17:21
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/flowdrop",
"product": "FlowDrop",
"repo": "https://git.drupalcode.org/project/flowdrop",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aincient Labs (aincient labs)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shibin Das (d34dman)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-01T17:21:57.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:16.889Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-067"
}
],
"title": "FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58589",
"datePublished": "2026-07-10T21:46:16.889Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:16.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58588 (GCVE-0-2026-58588)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.4.2
(semver)
Affected: 1.5.0 , < 1.5.2 (semver) Affected: 1.6.0 , < 1.6.1 (semver) Affected: 1.7.0 , < 1.7.1 (semver) |
Date Public
2026-07-01 17:21
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.5.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
},
{
"lessThan": "1.6.1",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
},
{
"lessThan": "1.7.1",
"status": "affected",
"version": "1.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "AKHIL BABU (akhil babu)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-07-01T17:21:09.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:15.991Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-066"
}
],
"title": "Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58588",
"datePublished": "2026-07-10T21:46:15.991Z",
"dateReserved": "2026-07-01T17:08:05.253Z",
"dateUpdated": "2026-07-10T21:46:15.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58587 (GCVE-0-2026-58587)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal Canvas |
Affected:
0.0.0 , < 1.4.2
(semver)
Affected: 1.5.0 , < 1.5.2 (semver) Affected: 1.6.0 , < 1.6.1 (semver) Affected: 1.7.0 , < 1.7.1 (semver) |
Date Public
2026-07-01 17:20
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/canvas",
"product": "Drupal Canvas",
"repo": "https://git.drupalcode.org/project/canvas",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.4.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "1.5.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
},
{
"lessThan": "1.6.1",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
},
{
"lessThan": "1.7.1",
"status": "affected",
"version": "1.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AKHIL BABU (akhil babu)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Bronstein (effulgentsia)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-07-01T17:20:16.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:15.116Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-065"
}
],
"title": "Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-58587",
"datePublished": "2026-07-10T21:46:15.116Z",
"dateReserved": "2026-07-01T17:08:05.252Z",
"dateUpdated": "2026-07-10T21:46:15.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55810 (GCVE-0-2026-55810)
Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Plotly.js Graphing |
Affected:
0.0.0 , < 3.0.2
(semver)
|
Date Public
2026-06-17 18:40
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/plotly_js",
"product": "Plotly.js Graphing",
"repo": "https://git.drupalcode.org/project/plotly_js",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Stephen Mustgrave (smustgrave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:40:21.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:36.859Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-050"
}
],
"title": "Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55810",
"datePublished": "2026-07-10T21:44:36.859Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:44:36.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55809 (GCVE-0-2026-55809)
Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Flag attendance field |
Affected:
0.0.0 , < 1.2
(semver)
|
Date Public
2026-06-17 18:39
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/flag_attendance_field",
"product": "Flag attendance field",
"repo": "https://git.drupalcode.org/project/flag_attendance_field",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anas Mawlawi (anas_maw)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:39:26.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:35.985Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-049"
}
],
"title": "Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55809",
"datePublished": "2026-07-10T21:44:35.985Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:44:35.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55808 (GCVE-0-2026-55808)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:58
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cantina_security"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bj\u00c3\u00b6rn Brala (bbrala)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kim Pepper (kim.pepper)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:58:02.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:43.600Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-009"
}
],
"title": "Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55808",
"datePublished": "2026-07-10T21:46:43.600Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:43.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55807 (GCVE-0-2026-55807)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008
Summary
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:57
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (0xhamy)"
},
{
"lang": "en",
"type": "finder",
"value": "assaf alassaf (ama62)"
},
{
"lang": "en",
"type": "finder",
"value": "Albert Skibinski (askibinski)"
},
{
"lang": "en",
"type": "finder",
"value": "Jon Minder (ayalon)"
},
{
"lang": "en",
"type": "finder",
"value": "Lautaro Casanova (betah4k)"
},
{
"lang": "en",
"type": "finder",
"value": "Gabe Sullice (gabesullice)"
},
{
"lang": "en",
"type": "finder",
"value": "John Morahan (john morahan)"
},
{
"lang": "en",
"type": "finder",
"value": "Michael Winser (michaelwinser)"
},
{
"lang": "en",
"type": "finder",
"value": "nbanderson"
},
{
"lang": "en",
"type": "finder",
"value": "offensive-ai"
},
{
"lang": "en",
"type": "finder",
"value": "Francesco Placella (plach)"
},
{
"lang": "en",
"type": "finder",
"value": "quynh ho (qquynh)"
},
{
"lang": "en",
"type": "finder",
"value": "Himanshu Anand (unknownhad)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adam G-H (phenaproxima)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sean Blommaert (seanb)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Mori Sugimoto (dokumori)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:57:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:40.786Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-008"
}
],
"title": "Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55807",
"datePublished": "2026-07-10T21:46:40.786Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:40.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55806 (GCVE-0-2026-55806)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:57
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Melih Acikoz"
},
{
"lang": "en",
"type": "finder",
"value": "Michael Winser (michaelwinser)"
},
{
"lang": "en",
"type": "finder",
"value": "Willem Drupal enthousiast (willempje2)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:57:37.000Z",
"descriptions": [
{
"lang": "en",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:39.920Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-007"
}
],
"title": "Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55806",
"datePublished": "2026-07-10T21:46:39.920Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:39.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55804 (GCVE-0-2026-55804)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:57
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mohit Aghera (mohit_aghera)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:57:02.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:39.054Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-006"
}
],
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55804",
"datePublished": "2026-07-10T21:46:39.054Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:39.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55803 (GCVE-0-2026-55803)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Drupal core - Critical - PHP object injection - SA-CORE-2026-005
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Drupal core |
Affected:
0.0.0 , < 10.5.12
(semver)
Affected: 10.6.0 , < 10.6.11 (semver) Affected: 11.2.0 , < 11.2.14 (semver) Affected: 11.3.0 , < 11.3.12 (semver) Affected: 0.0.0 , < 11.0.* (semver) Affected: 0.0.0 , < 11.1.* (semver) |
Date Public
2026-06-17 18:56
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.5.12",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "10.6.11",
"status": "affected",
"version": "10.6.0",
"versionType": "semver"
},
{
"lessThan": "11.2.14",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"lessThan": "11.3.12",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.*",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bj\u00c3\u00b6rn Brala (bbrala)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "David Strauss (david strauss)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tim Hestenes Lehnen (hestenet)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:56:50.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:38.051Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2026-005"
}
],
"title": "Drupal core - Critical - PHP object injection - SA-CORE-2026-005"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-55803",
"datePublished": "2026-07-10T21:46:38.051Z",
"dateReserved": "2026-06-17T14:59:52.673Z",
"dateUpdated": "2026-07-10T21:46:38.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15085 (GCVE-0-2026-15085)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | AI SEO/GEO Analyzer |
Affected:
0.0.0 , < 1.1.3
(semver)
|
Date Public
2026-07-08 17:18
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ai_seo",
"product": "AI SEO/GEO Analyzer",
"repo": "https://git.drupalcode.org/project/ai_seo",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juhani V\u00c3\u00a4\u00c3\u00a4t\u00c3\u00a4j\u00c3\u00a4 (j-vee)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2026-07-08T17:18:39.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:35.632Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-076"
}
],
"title": "AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15085",
"datePublished": "2026-07-10T21:46:35.632Z",
"dateReserved": "2026-07-08T15:44:59.219Z",
"dateUpdated": "2026-07-10T21:46:35.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15084 (GCVE-0-2026-15084)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | UI Patterns (SDC in Drupal UI) |
Affected:
2.0.0 , < 2.0.17
(semver)
|
Date Public
2026-07-08 17:17
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ui_patterns",
"product": "UI Patterns (SDC in Drupal UI)",
"repo": "https://git.drupalcode.org/project/ui_patterns",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.17",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Herv\u00c3\u00a9 Donner (herved)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Florent Torregrosa (grimreaper)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Herv\u00c3\u00a9 Donner (herved)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mikael Meulle (just_like_good_vibes)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Dureau (pdureau)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-08T17:17:41.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:34.771Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-075"
}
],
"title": "UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15084",
"datePublished": "2026-07-10T21:46:34.771Z",
"dateReserved": "2026-07-08T15:44:58.126Z",
"dateUpdated": "2026-07-10T21:46:34.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15083 (GCVE-0-2026-15083)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | ECA: Event - Condition - Action |
Affected:
0.0.0 , < 2.1.20
(semver)
Affected: 3.0.0 , < 3.0.12 (semver) Affected: 3.1.0 , < 3.1.4 (semver) |
Date Public
2026-07-08 17:16
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/eca",
"product": "ECA: Event - Condition - Action",
"repo": "https://git.drupalcode.org/project/eca",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.20",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.0.12",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.4",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Changhai Qi (qichanghai)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-08T17:16:32.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:33.886Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-074"
}
],
"title": "ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15083",
"datePublished": "2026-07-10T21:46:33.886Z",
"dateReserved": "2026-07-08T15:44:57.178Z",
"dateUpdated": "2026-07-10T21:46:33.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15082 (GCVE-0-2026-15082)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1.
Severity
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Siteimprove Analytics |
Affected:
0.0.0 , < 2.0.1
(semver)
|
Date Public
2026-07-08 17:15
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/siteimprove_analytics",
"product": "Siteimprove Analytics",
"repo": "https://git.drupalcode.org/project/siteimprove_analytics",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bohdan Artemchuk (bohart)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andriy Parkhomiuk (grask0)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-08T17:15:18.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:22.143Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-073"
}
],
"title": "Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15082",
"datePublished": "2026-07-10T21:46:22.143Z",
"dateReserved": "2026-07-08T15:44:56.251Z",
"dateUpdated": "2026-07-10T21:46:22.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15081 (GCVE-0-2026-15081)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0.
Severity
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Location Selector |
Affected:
0.0.0 , < 1.3.0
(semver)
|
Date Public
2026-07-08 17:14
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/location_selector",
"product": "Location Selector",
"repo": "https://git.drupalcode.org/project/location_selector",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "handkerchief"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-07-08T17:14:27.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:21.263Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-072"
}
],
"title": "Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15081",
"datePublished": "2026-07-10T21:46:21.263Z",
"dateReserved": "2026-07-08T15:44:55.221Z",
"dateUpdated": "2026-07-10T21:46:21.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15080 (GCVE-0-2026-15080)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Ray Enterprise Translation |
Affected:
0.0.0 , < 4.0.4
(semver)
Affected: 4.1.0 , < 4.1.4 (semver) Affected: 11.0.0 , < 11.0.4 (semver) |
Date Public
2026-07-08 17:13
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/lingotek",
"product": "Ray Enterprise Translation",
"repo": "https://git.drupalcode.org/project/lingotek",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.0.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "4.1.4",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "11.0.4",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Naresh Bavaskar (naresh_bavaskar)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-08T17:13:44.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:20.380Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-071"
}
],
"title": "Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15080",
"datePublished": "2026-07-10T21:46:20.380Z",
"dateReserved": "2026-07-08T15:44:54.212Z",
"dateUpdated": "2026-07-10T21:46:20.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15079 (GCVE-0-2026-15079)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4.
Severity
No CVSS data available.
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Login Disable |
Affected:
0.0.0 , < 2.1.4
(semver)
|
Date Public
2026-07-08 17:12
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/login_disable",
"product": "Login Disable",
"repo": "https://git.drupalcode.org/project/login_disable",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Boris Doesborg (batigolix)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-07-08T17:12:32.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:19.486Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-070"
}
],
"title": "Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15079",
"datePublished": "2026-07-10T21:46:19.486Z",
"dateReserved": "2026-07-08T15:44:53.333Z",
"dateUpdated": "2026-07-10T21:46:19.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13244 (GCVE-0-2026-13244)
Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
VLAI
EPSS
VEX
Title
Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0.
Severity
No CVSS data available.
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Tealium iQ Tag Management |
Affected:
0.0.0 , < 2.4.0
(semver)
|
Date Public
2026-06-26 15:27
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tealiumiq",
"product": "Tealium iQ Tag Management",
"repo": "https://git.drupalcode.org/project/tealiumiq",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel Schiavone (schiavone)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-26T15:27:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:14.260Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-064"
}
],
"title": "Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13244",
"datePublished": "2026-07-10T21:46:14.260Z",
"dateReserved": "2026-06-24T18:00:17.008Z",
"dateUpdated": "2026-07-10T21:46:14.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13243 (GCVE-0-2026-13243)
Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Salesforce Suite |
Affected:
0.0.0 , < 5.1.3
(semver)
|
Date Public
2026-06-24 18:48
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/salesforce",
"product": "Salesforce Suite",
"repo": "https://git.drupalcode.org/project/salesforce",
"vendor": "Drupal",
"versions": [
{
"lessThan": "5.1.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammedali Aliyev (swordmein)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aaron Bauman (aaronbauman)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-06-24T18:48:15.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:55.591Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-063"
}
],
"title": "Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13243",
"datePublished": "2026-07-10T21:44:55.591Z",
"dateReserved": "2026-06-24T18:00:16.032Z",
"dateUpdated": "2026-07-10T21:44:55.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13242 (GCVE-0-2026-13242)
Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0.
Severity
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Geolocation Field |
Affected:
0.0.0 , < 3.15.0
(semver)
|
Date Public
2026-06-24 18:46
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/geolocation",
"product": "Geolocation Field",
"repo": "https://git.drupalcode.org/project/geolocation",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.15.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Michael Maturi (michaelmaturi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Adamski (christianadamski)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-24T18:46:12.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:54.721Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-062"
}
],
"title": "Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13242",
"datePublished": "2026-07-10T21:44:54.721Z",
"dateReserved": "2026-06-24T18:00:15.050Z",
"dateUpdated": "2026-07-10T21:44:54.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13241 (GCVE-0-2026-13241)
Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
Summary
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Paragraphs |
Affected:
0.0.0 , < 1.21.0
(semver)
|
Date Public
2026-06-24 18:43
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/paragraphs",
"product": "Paragraphs",
"repo": "https://git.drupalcode.org/project/paragraphs",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.21.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mustafa Ahmed (mustafa007)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-24T18:43:16.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:53.879Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-061"
}
],
"title": "Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13241",
"datePublished": "2026-07-10T21:44:53.879Z",
"dateReserved": "2026-06-24T18:00:14.145Z",
"dateUpdated": "2026-07-10T21:44:53.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13240 (GCVE-0-2026-13240)
Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
VLAI
EPSS
VEX
Title
Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
Summary
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Paragraphs |
Affected:
0.0.0 , < 1.21.0
(semver)
|
Date Public
2026-06-24 18:42
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/paragraphs",
"product": "Paragraphs",
"repo": "https://git.drupalcode.org/project/paragraphs",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.21.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2026-06-24T18:42:30.000Z",
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:44:53.011Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-060"
}
],
"title": "Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13240",
"datePublished": "2026-07-10T21:44:53.011Z",
"dateReserved": "2026-06-24T18:00:13.250Z",
"dateUpdated": "2026-07-10T21:44:53.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}