Search

Find a vulnerability

Search criteria

    1526 vulnerabilities by Drupal

    CVE-2026-15089 (GCVE-0-2026-15089)

    Vulnerability from nvd – Published: 2026-07-10 21:54 – Updated: 2026-07-10 21:57
    VLAI
    Title
    Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079
    Summary
    vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Date Public
    2026-07-08 17:20
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/commerce_guest_registration",
              "product": "Commerce guest registration",
              "repo": "https://git.drupalcode.org/project/commerce_guest_registration",
              "vendor": "Drupal",
              "versions": [
                {
                  "status": "affected",
                  "version": "*.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T17:20:24.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:57:34.124Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-079"
            }
          ],
          "title": "Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15089",
        "datePublished": "2026-07-10T21:54:42.802Z",
        "dateReserved": "2026-07-08T15:45:03.255Z",
        "dateUpdated": "2026-07-10T21:57:34.124Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15087 (GCVE-0-2026-15087)

    Vulnerability from nvd – Published: 2026-07-10 21:57 – Updated: 2026-07-10 21:57
    VLAI
    Title
    Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078
    Summary
    vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Clean RESTful Affected: *.* (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:19
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/clean_node_api",
              "product": "Clean RESTful",
              "repo": "https://git.drupalcode.org/project/clean_node_api",
              "vendor": "Drupal",
              "versions": [
                {
                  "status": "affected",
                  "version": "*.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T17:19:42.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:57:28.467Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-078"
            }
          ],
          "title": "Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15087",
        "datePublished": "2026-07-10T21:57:28.467Z",
        "dateReserved": "2026-07-08T15:45:01.154Z",
        "dateUpdated": "2026-07-10T21:57:28.467Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15086 (GCVE-0-2026-15086)

    Vulnerability from nvd – Published: 2026-07-10 21:57 – Updated: 2026-07-10 21:57
    VLAI
    Title
    Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077
    Summary
    vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Date Public
    2026-07-08 17:19
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/raw_formatter",
              "product": "Raw Formatter [Meta Tag Formatter]",
              "repo": "https://git.drupalcode.org/project/raw_formatter",
              "vendor": "Drupal",
              "versions": [
                {
                  "status": "affected",
                  "version": "*.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T17:19:33.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:57:19.321Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-077"
            }
          ],
          "title": "Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15086",
        "datePublished": "2026-07-10T21:57:19.321Z",
        "dateReserved": "2026-07-08T15:45:00.086Z",
        "dateUpdated": "2026-07-10T21:57:19.321Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11915 (GCVE-0-2026-11915)

    Vulnerability from nvd – Published: 2026-07-10 21:58 – Updated: 2026-07-10 21:58
    VLAI
    Title
    Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047
    Summary
    vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Date Public
    2026-06-10 17:10
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/bfap_sb",
              "product": "Brute force attack protection",
              "repo": "https://git.drupalcode.org/project/bfap_sb",
              "vendor": "Drupal",
              "versions": [
                {
                  "status": "affected",
                  "version": "*.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-06-10T17:10:26.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:58:18.624Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-047"
            }
          ],
          "title": "Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-11915",
        "datePublished": "2026-07-10T21:58:18.624Z",
        "dateReserved": "2026-06-10T16:43:06.497Z",
        "dateUpdated": "2026-07-10T21:58:18.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11914 (GCVE-0-2026-11914)

    Vulnerability from nvd – Published: 2026-07-10 21:59 – Updated: 2026-07-10 21:59
    VLAI
    Title
    Composer - Critical - Unsupported - SA-CONTRIB-2026-046
    Summary
    vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Composer Affected: *.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-10 17:09
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/composer",
              "product": "Composer",
              "repo": "https://git.drupalcode.org/project/composer",
              "vendor": "Drupal",
              "versions": [
                {
                  "status": "affected",
                  "version": "*.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-06-10T17:09:45.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:59:28.008Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-046"
            }
          ],
          "title": "Composer - Critical - Unsupported - SA-CONTRIB-2026-046"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-11914",
        "datePublished": "2026-07-10T21:59:28.008Z",
        "dateReserved": "2026-06-10T16:43:05.303Z",
        "dateUpdated": "2026-07-10T21:59:28.008Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11913 (GCVE-0-2026-11913)

    Vulnerability from nvd – Published: 2026-07-10 22:00 – Updated: 2026-07-10 22:00
    VLAI
    Title
    Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045
    Summary
    vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Mother May I Affected: *.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-10 17:08
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/mothermayi",
              "product": "Mother May I",
              "repo": "https://git.drupalcode.org/project/mothermayi",
              "vendor": "Drupal",
              "versions": [
                {
                  "status": "affected",
                  "version": "*.*",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-06-10T17:08:53.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*."
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T22:00:08.662Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-045"
            }
          ],
          "title": "Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-11913",
        "datePublished": "2026-07-10T22:00:08.662Z",
        "dateReserved": "2026-06-10T16:43:04.126Z",
        "dateUpdated": "2026-07-10T22:00:08.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58591 (GCVE-0-2026-58591)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Colorbox Affected: 0.0.0 , < 2.1.5 (semver)
    Affected: 0.0.0 , < 2.2.0 (semver)
    Create a notification for this product.
    Date Public
    2026-07-01 17:24
    Credits
    Pierre Rudloff (prudloff) Paul McKibben (paulmckibben) Pierre Rudloff (prudloff)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/colorbox",
              "product": "Colorbox",
              "repo": "https://git.drupalcode.org/project/colorbox",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "2.1.5",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.2.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pierre Rudloff (prudloff)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Paul McKibben (paulmckibben)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pierre Rudloff (prudloff)"
            }
          ],
          "datePublic": "2026-07-01T17:24:05.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:18.632Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-069"
            }
          ],
          "title": "Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-58591",
        "datePublished": "2026-07-10T21:46:18.632Z",
        "dateReserved": "2026-07-01T17:08:05.253Z",
        "dateUpdated": "2026-07-10T21:46:18.632Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58590 (GCVE-0-2026-58590)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
    Summary
    Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal FlowDrop Affected: 0.0.0 , < 1.6.0 (semver)
    Create a notification for this product.
    Date Public
    2026-07-01 17:22
    Credits
    Aincient Labs (aincient labs) Shibin Das (d34dman) Greg Knaddison (greggles) Neil Drumm (drumm) Juraj Nemec (poker10) Dave Long (longwave)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/flowdrop",
              "product": "FlowDrop",
              "repo": "https://git.drupalcode.org/project/flowdrop",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.6.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aincient Labs  (aincient labs)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Shibin Das (d34dman)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            }
          ],
          "datePublic": "2026-07-01T17:22:46.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-87",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-87 Forceful Browsing"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:17.722Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-068"
            }
          ],
          "title": "FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-58590",
        "datePublished": "2026-07-10T21:46:17.722Z",
        "dateReserved": "2026-07-01T17:08:05.253Z",
        "dateUpdated": "2026-07-10T21:46:17.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58589 (GCVE-0-2026-58589)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
    Summary
    Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal FlowDrop Affected: 0.0.0 , < 1.6.0 (semver)
    Create a notification for this product.
    Date Public
    2026-07-01 17:21
    Credits
    Aincient Labs (aincient labs) Shibin Das (d34dman) Greg Knaddison (greggles) Neil Drumm (drumm) Juraj Nemec (poker10) Dave Long (longwave)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/flowdrop",
              "product": "FlowDrop",
              "repo": "https://git.drupalcode.org/project/flowdrop",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.6.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aincient Labs  (aincient labs)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Shibin Das (d34dman)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            }
          ],
          "datePublic": "2026-07-01T17:21:57.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-87",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-87 Forceful Browsing"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:16.889Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-067"
            }
          ],
          "title": "FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-58589",
        "datePublished": "2026-07-10T21:46:16.889Z",
        "dateReserved": "2026-07-01T17:08:05.253Z",
        "dateUpdated": "2026-07-10T21:46:16.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58588 (GCVE-0-2026-58588)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal Canvas Affected: 0.0.0 , < 1.4.2 (semver)
    Affected: 1.5.0 , < 1.5.2 (semver)
    Affected: 1.6.0 , < 1.6.1 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-01 17:21
    Credits
    Christian López Espínola (penyaskito) AKHIL BABU (akhil babu) Christian López Espínola (penyaskito) Juraj Nemec (poker10)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/canvas",
              "product": "Drupal Canvas",
              "repo": "https://git.drupalcode.org/project/canvas",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.5.2",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.6.1",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "AKHIL BABU (akhil babu)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            }
          ],
          "datePublic": "2026-07-01T17:21:09.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:15.991Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-066"
            }
          ],
          "title": "Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-58588",
        "datePublished": "2026-07-10T21:46:15.991Z",
        "dateReserved": "2026-07-01T17:08:05.253Z",
        "dateUpdated": "2026-07-10T21:46:15.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58587 (GCVE-0-2026-58587)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal Canvas Affected: 0.0.0 , < 1.4.2 (semver)
    Affected: 1.5.0 , < 1.5.2 (semver)
    Affected: 1.6.0 , < 1.6.1 (semver)
    Affected: 1.7.0 , < 1.7.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-01 17:20
    Credits
    AKHIL BABU (akhil babu) Alex Bronstein (effulgentsia) Christian López Espínola (penyaskito) Juraj Nemec (poker10)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/canvas",
              "product": "Drupal Canvas",
              "repo": "https://git.drupalcode.org/project/canvas",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.4.2",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.5.2",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.6.1",
                  "status": "affected",
                  "version": "1.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.7.1",
                  "status": "affected",
                  "version": "1.7.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AKHIL BABU (akhil babu)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Alex Bronstein (effulgentsia)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            }
          ],
          "datePublic": "2026-07-01T17:20:16.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:15.116Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-065"
            }
          ],
          "title": "Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-58587",
        "datePublished": "2026-07-10T21:46:15.116Z",
        "dateReserved": "2026-07-01T17:08:05.252Z",
        "dateUpdated": "2026-07-10T21:46:15.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55810 (GCVE-0-2026-55810)

    Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
    VLAI
    Title
    Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2.
    Severity
    No CVSS data available.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Plotly.js Graphing Affected: 0.0.0 , < 3.0.2 (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:40
    Credits
    Drew Webber (mcdruid) Stephen Mustgrave (smustgrave) Greg Knaddison (greggles) Drew Webber (mcdruid) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/plotly_js",
              "product": "Plotly.js Graphing",
              "repo": "https://git.drupalcode.org/project/plotly_js",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "3.0.2",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Stephen Mustgrave (smustgrave)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:40:21.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:44:36.859Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-050"
            }
          ],
          "title": "Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55810",
        "datePublished": "2026-07-10T21:44:36.859Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:44:36.859Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55809 (GCVE-0-2026-55809)

    Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
    VLAI
    Title
    Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2.
    Severity
    No CVSS data available.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Flag attendance field Affected: 0.0.0 , < 1.2 (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:39
    Credits
    Drew Webber (mcdruid) Anas Mawlawi (anas_maw) Benji Fisher (benjifisher) Drew Webber (mcdruid) Benji Fisher (benjifisher) Drew Webber (mcdruid) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/flag_attendance_field",
              "product": "Flag attendance field",
              "repo": "https://git.drupalcode.org/project/flag_attendance_field",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.2",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Anas Mawlawi (anas_maw)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:39:26.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:44:35.985Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-049"
            }
          ],
          "title": "Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55809",
        "datePublished": "2026-07-10T21:44:35.985Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:44:35.985Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55808 (GCVE-0-2026-55808)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal core Affected: 0.0.0 , < 10.5.12 (semver)
    Affected: 10.6.0 , < 10.6.11 (semver)
    Affected: 11.2.0 , < 11.2.14 (semver)
    Affected: 11.3.0 , < 11.3.12 (semver)
    Affected: 0.0.0 , < 11.0.* (semver)
    Affected: 0.0.0 , < 11.1.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:58
    Credits
    cantina_security Björn Brala (bbrala) Kim Pepper (kim.pepper) Lee Rowlands (larowlan) Damien McKenna (damienmckenna) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Juraj Nemec (poker10) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/drupal",
              "product": "Drupal core",
              "repo": "https://git.drupalcode.org/project/drupal",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "10.5.12",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.6.11",
                  "status": "affected",
                  "version": "10.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.2.14",
                  "status": "affected",
                  "version": "11.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.3.12",
                  "status": "affected",
                  "version": "11.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.0.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.1.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "cantina_security"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Bj\u00c3\u00b6rn Brala (bbrala)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Kim Pepper (kim.pepper)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Damien McKenna (damienmckenna)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:58:02.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:43.600Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-core-2026-009"
            }
          ],
          "title": "Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55808",
        "datePublished": "2026-07-10T21:46:43.600Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:46:43.600Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55807 (GCVE-0-2026-55807)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
    Severity
    No CVSS data available.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal core Affected: 0.0.0 , < 10.5.12 (semver)
    Affected: 10.6.0 , < 10.6.11 (semver)
    Affected: 11.2.0 , < 11.2.14 (semver)
    Affected: 11.3.0 , < 11.3.12 (semver)
    Affected: 0.0.0 , < 11.0.* (semver)
    Affected: 0.0.0 , < 11.1.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:57
    Credits
    Hamed Kohi (0xhamy) assaf alassaf (ama62) Albert Skibinski (askibinski) Jon Minder (ayalon) Lautaro Casanova (betah4k) Gabe Sullice (gabesullice) John Morahan (john morahan) Michael Winser (michaelwinser) nbanderson offensive-ai Francesco Placella (plach) quynh ho (qquynh) Himanshu Anand (unknownhad) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Adam G-H (phenaproxima) Sean Blommaert (seanb) Benji Fisher (benjifisher) cilefen (cilefen) Damien McKenna (damienmckenna) Mori Sugimoto (dokumori) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) James Gilliland (neclimdul) Juraj Nemec (poker10) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/drupal",
              "product": "Drupal core",
              "repo": "https://git.drupalcode.org/project/drupal",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "10.5.12",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.6.11",
                  "status": "affected",
                  "version": "10.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.2.14",
                  "status": "affected",
                  "version": "11.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.3.12",
                  "status": "affected",
                  "version": "11.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.0.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.1.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hamed Kohi (0xhamy)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "assaf alassaf (ama62)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Albert Skibinski (askibinski)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jon Minder (ayalon)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Lautaro Casanova (betah4k)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Gabe Sullice (gabesullice)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "John Morahan (john morahan)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Winser (michaelwinser)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "nbanderson"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "offensive-ai"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Placella (plach)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "quynh ho (qquynh)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Himanshu Anand (unknownhad)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Adam G-H (phenaproxima)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Sean Blommaert (seanb)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "cilefen  (cilefen)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Damien McKenna (damienmckenna)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Mori Sugimoto (dokumori)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "James Gilliland (neclimdul)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:57:49.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:40.786Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-core-2026-008"
            }
          ],
          "title": "Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55807",
        "datePublished": "2026-07-10T21:46:40.786Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:46:40.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55806 (GCVE-0-2026-55806)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007
    Summary
    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
    Severity
    No CVSS data available.
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal core Affected: 0.0.0 , < 10.5.12 (semver)
    Affected: 10.6.0 , < 10.6.11 (semver)
    Affected: 11.2.0 , < 11.2.14 (semver)
    Affected: 11.3.0 , < 11.3.12 (semver)
    Affected: 0.0.0 , < 11.0.* (semver)
    Affected: 0.0.0 , < 11.1.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:57
    Credits
    Melih Acikoz Michael Winser (michaelwinser) Willem Drupal enthousiast (willempje2) Lee Rowlands (larowlan) catch (catch) cilefen (cilefen) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) James Gilliland (neclimdul) Juraj Nemec (poker10) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/drupal",
              "product": "Drupal core",
              "repo": "https://git.drupalcode.org/project/drupal",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "10.5.12",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.6.11",
                  "status": "affected",
                  "version": "10.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.2.14",
                  "status": "affected",
                  "version": "11.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.3.12",
                  "status": "affected",
                  "version": "11.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.0.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.1.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Melih Acikoz"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Winser (michaelwinser)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Willem Drupal enthousiast (willempje2)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "catch (catch)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "cilefen  (cilefen)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "James Gilliland (neclimdul)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:57:37.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-148",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-148 Content Spoofing"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:39.920Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-core-2026-007"
            }
          ],
          "title": "Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55806",
        "datePublished": "2026-07-10T21:46:39.920Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:46:39.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55804 (GCVE-0-2026-55804)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
    Severity
    No CVSS data available.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal core Affected: 0.0.0 , < 10.5.12 (semver)
    Affected: 10.6.0 , < 10.6.11 (semver)
    Affected: 11.2.0 , < 11.2.14 (semver)
    Affected: 11.3.0 , < 11.3.12 (semver)
    Affected: 0.0.0 , < 11.0.* (semver)
    Affected: 0.0.0 , < 11.1.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:57
    Credits
    Michael Maturi (michaelmaturi) Lee Rowlands (larowlan) Drew Webber (mcdruid) Mohit Aghera (mohit_aghera) Anna Kalata (akalata) Benji Fisher (benjifisher) cilefen (cilefen) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/drupal",
              "product": "Drupal core",
              "repo": "https://git.drupalcode.org/project/drupal",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "10.5.12",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.6.11",
                  "status": "affected",
                  "version": "10.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.2.14",
                  "status": "affected",
                  "version": "11.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.3.12",
                  "status": "affected",
                  "version": "11.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.0.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.1.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Maturi (michaelmaturi)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Mohit Aghera (mohit_aghera)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Anna Kalata (akalata)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "cilefen  (cilefen)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:57:02.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:39.054Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-core-2026-006"
            }
          ],
          "title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55804",
        "datePublished": "2026-07-10T21:46:39.054Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:46:39.054Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55803 (GCVE-0-2026-55803)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Drupal core - Critical - PHP object injection - SA-CORE-2026-005
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
    Severity
    No CVSS data available.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Drupal core Affected: 0.0.0 , < 10.5.12 (semver)
    Affected: 10.6.0 , < 10.6.11 (semver)
    Affected: 11.2.0 , < 11.2.14 (semver)
    Affected: 11.3.0 , < 11.3.12 (semver)
    Affected: 0.0.0 , < 11.0.* (semver)
    Affected: 0.0.0 , < 11.1.* (semver)
    Create a notification for this product.
    Date Public
    2026-06-17 18:56
    Credits
    Michael Maturi (michaelmaturi) Björn Brala (bbrala) Sascha Grossenbacher (berdir) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Anna Kalata (akalata) Benji Fisher (benjifisher) Damien McKenna (damienmckenna) David Strauss (david strauss) Neil Drumm (drumm) Greg Knaddison (greggles) Tim Hestenes Lehnen (hestenet) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10) Ra Mänd (ram4nd) Jess (xjm)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/drupal",
              "product": "Drupal core",
              "repo": "https://git.drupalcode.org/project/drupal",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "10.5.12",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.6.11",
                  "status": "affected",
                  "version": "10.6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.2.14",
                  "status": "affected",
                  "version": "11.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.3.12",
                  "status": "affected",
                  "version": "11.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.0.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.1.*",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Maturi (michaelmaturi)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Bj\u00c3\u00b6rn Brala (bbrala)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Sascha Grossenbacher (berdir)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Anna Kalata (akalata)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Damien McKenna (damienmckenna)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "David Strauss (david strauss)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Tim Hestenes Lehnen (hestenet)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Lee Rowlands (larowlan)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Ra M\u00c3\u00a4nd (ram4nd)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jess  (xjm)"
            }
          ],
          "datePublic": "2026-06-17T18:56:50.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:38.051Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-core-2026-005"
            }
          ],
          "title": "Drupal core - Critical - PHP object injection - SA-CORE-2026-005"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-55803",
        "datePublished": "2026-07-10T21:46:38.051Z",
        "dateReserved": "2026-06-17T14:59:52.673Z",
        "dateUpdated": "2026-07-10T21:46:38.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15085 (GCVE-0-2026-15085)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal AI SEO/GEO Analyzer Affected: 0.0.0 , < 1.1.3 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:18
    Credits
    Drew Webber (mcdruid) Juhani Väätäjä (j-vee) Greg Knaddison (greggles) Drew Webber (mcdruid)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/ai_seo",
              "product": "AI SEO/GEO Analyzer",
              "repo": "https://git.drupalcode.org/project/ai_seo",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.1.3",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Juhani V\u00c3\u00a4\u00c3\u00a4t\u00c3\u00a4j\u00c3\u00a4 (j-vee)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            }
          ],
          "datePublic": "2026-07-08T17:18:39.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:35.632Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-076"
            }
          ],
          "title": "AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15085",
        "datePublished": "2026-07-10T21:46:35.632Z",
        "dateReserved": "2026-07-08T15:44:59.219Z",
        "dateUpdated": "2026-07-10T21:46:35.632Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15084 (GCVE-0-2026-15084)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal UI Patterns (SDC in Drupal UI) Affected: 2.0.0 , < 2.0.17 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:17
    Credits
    Hervé Donner (herved) Florent Torregrosa (grimreaper) Hervé Donner (herved) Mikael Meulle (just_like_good_vibes) Pierre Dureau (pdureau) Neil Drumm (drumm) Greg Knaddison (greggles) Juraj Nemec (poker10) Dave Long (longwave)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/ui_patterns",
              "product": "UI Patterns (SDC in Drupal UI)",
              "repo": "https://git.drupalcode.org/project/ui_patterns",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "2.0.17",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Herv\u00c3\u00a9 Donner (herved)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Florent Torregrosa (grimreaper)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Herv\u00c3\u00a9 Donner (herved)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Mikael Meulle (just_like_good_vibes)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Pierre Dureau (pdureau)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            }
          ],
          "datePublic": "2026-07-08T17:17:41.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal UI Patterns (SDC in Drupal UI) allows Stored XSS. This issue affects UI Patterns (SDC in Drupal UI) versions: from 2.0.0 to 2.0.17."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:34.771Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-075"
            }
          ],
          "title": "UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15084",
        "datePublished": "2026-07-10T21:46:34.771Z",
        "dateReserved": "2026-07-08T15:44:58.126Z",
        "dateUpdated": "2026-07-10T21:46:34.771Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15083 (GCVE-0-2026-15083)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.
    Severity
    No CVSS data available.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal ECA: Event - Condition - Action Affected: 0.0.0 , < 2.1.20 (semver)
    Affected: 3.0.0 , < 3.0.12 (semver)
    Affected: 3.1.0 , < 3.1.4 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:16
    Credits
    Changhai Qi (qichanghai) Jürgen Haas (jurgenhaas) Neil Drumm (drumm) Greg Knaddison (greggles) Dave Long (longwave)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/eca",
              "product": "ECA: Event - Condition - Action",
              "repo": "https://git.drupalcode.org/project/eca",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "2.1.20",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.12",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1.4",
                  "status": "affected",
                  "version": "3.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Changhai Qi (qichanghai)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Dave Long (longwave)"
            }
          ],
          "datePublic": "2026-07-08T17:16:32.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:33.886Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-074"
            }
          ],
          "title": "ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15083",
        "datePublished": "2026-07-10T21:46:33.886Z",
        "dateReserved": "2026-07-08T15:44:57.178Z",
        "dateUpdated": "2026-07-10T21:46:33.886Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15082 (GCVE-0-2026-15082)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073
    Summary
    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Siteimprove Analytics Affected: 0.0.0 , < 2.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:15
    Credits
    Pierre Rudloff (prudloff) Bohdan Artemchuk (bohart) Andriy Parkhomiuk (grask0) Greg Knaddison (greggles) Pierre Rudloff (prudloff)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/siteimprove_analytics",
              "product": "Siteimprove Analytics",
              "repo": "https://git.drupalcode.org/project/siteimprove_analytics",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "2.0.1",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pierre Rudloff (prudloff)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Bohdan Artemchuk (bohart)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Andriy Parkhomiuk (grask0)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pierre Rudloff (prudloff)"
            }
          ],
          "datePublic": "2026-07-08T17:15:18.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting (XSS). This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:22.143Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-073"
            }
          ],
          "title": "Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15082",
        "datePublished": "2026-07-10T21:46:22.143Z",
        "dateReserved": "2026-07-08T15:44:56.251Z",
        "dateUpdated": "2026-07-10T21:46:22.143Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15081 (GCVE-0-2026-15081)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0.
    Severity
    No CVSS data available.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Location Selector Affected: 0.0.0 , < 1.3.0 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:14
    Credits
    Drew Webber (mcdruid) handkerchief Greg Knaddison (greggles) Drew Webber (mcdruid) Juraj Nemec (poker10)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/location_selector",
              "product": "Location Selector",
              "repo": "https://git.drupalcode.org/project/location_selector",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "handkerchief"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            }
          ],
          "datePublic": "2026-07-08T17:14:27.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Location Selector allows SQL Injection. This issue affects Location Selector versions: from 0.0.0 to 1.3.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:21.263Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-072"
            }
          ],
          "title": "Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15081",
        "datePublished": "2026-07-10T21:46:21.263Z",
        "dateReserved": "2026-07-08T15:44:55.221Z",
        "dateUpdated": "2026-07-10T21:46:21.263Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15080 (GCVE-0-2026-15080)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4.
    Severity
    No CVSS data available.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Ray Enterprise Translation Affected: 0.0.0 , < 4.0.4 (semver)
    Affected: 4.1.0 , < 4.1.4 (semver)
    Affected: 11.0.0 , < 11.0.4 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:13
    Credits
    Pierre Rudloff (prudloff) Naresh Bavaskar (naresh_bavaskar) Greg Knaddison (greggles) Juraj Nemec (poker10) Pierre Rudloff (prudloff)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/lingotek",
              "product": "Ray Enterprise Translation",
              "repo": "https://git.drupalcode.org/project/lingotek",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "4.0.4",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.1.4",
                  "status": "affected",
                  "version": "4.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.0.4",
                  "status": "affected",
                  "version": "11.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pierre Rudloff (prudloff)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Naresh Bavaskar (naresh_bavaskar)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pierre Rudloff (prudloff)"
            }
          ],
          "datePublic": "2026-07-08T17:13:44.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:20.380Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-071"
            }
          ],
          "title": "Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15080",
        "datePublished": "2026-07-10T21:46:20.380Z",
        "dateReserved": "2026-07-08T15:44:54.212Z",
        "dateUpdated": "2026-07-10T21:46:20.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15079 (GCVE-0-2026-15079)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070
    Summary
    Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4.
    Severity
    No CVSS data available.
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Login Disable Affected: 0.0.0 , < 2.1.4 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 17:12
    Credits
    Pierre Rudloff (prudloff) Boris Doesborg (batigolix) Greg Knaddison (greggles) Pierre Rudloff (prudloff)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/login_disable",
              "product": "Login Disable",
              "repo": "https://git.drupalcode.org/project/login_disable",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "2.1.4",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pierre Rudloff (prudloff)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Boris Doesborg (batigolix)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pierre Rudloff (prudloff)"
            }
          ],
          "datePublic": "2026-07-08T17:12:32.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-112",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-112 Brute Force"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:19.486Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-070"
            }
          ],
          "title": "Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-15079",
        "datePublished": "2026-07-10T21:46:19.486Z",
        "dateReserved": "2026-07-08T15:44:53.333Z",
        "dateUpdated": "2026-07-10T21:46:19.486Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13244 (GCVE-0-2026-13244)

    Vulnerability from nvd – Published: 2026-07-10 21:46 – Updated: 2026-07-10 21:46
    VLAI
    Title
    Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0.
    Severity
    No CVSS data available.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Tealium iQ Tag Management Affected: 0.0.0 , < 2.4.0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-26 15:27
    Credits
    Drew Webber (mcdruid) Benji Fisher (benjifisher) Daniel Schiavone (schiavone) Benji Fisher (benjifisher) Bram Driesen (bramdriesen) Neil Drumm (drumm) Drew Webber (mcdruid) Juraj Nemec (poker10)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/tealiumiq",
              "product": "Tealium iQ Tag Management",
              "repo": "https://git.drupalcode.org/project/tealiumiq",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "2.4.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Daniel Schiavone (schiavone)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Benji Fisher (benjifisher)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Bram Driesen (bramdriesen)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            }
          ],
          "datePublic": "2026-06-26T15:27:49.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:46:14.260Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-064"
            }
          ],
          "title": "Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-13244",
        "datePublished": "2026-07-10T21:46:14.260Z",
        "dateReserved": "2026-06-24T18:00:17.008Z",
        "dateUpdated": "2026-07-10T21:46:14.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13243 (GCVE-0-2026-13243)

    Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
    VLAI
    Title
    Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3.
    Severity
    No CVSS data available.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Salesforce Suite Affected: 0.0.0 , < 5.1.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 18:48
    Credits
    Muhammedali Aliyev (swordmein) Aaron Bauman (aaronbauman) Neil Drumm (drumm) Juraj Nemec (poker10) Pierre Rudloff (prudloff)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/salesforce",
              "product": "Salesforce Suite",
              "repo": "https://git.drupalcode.org/project/salesforce",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "5.1.3",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammedali Aliyev (swordmein)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Aaron Bauman (aaronbauman)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pierre Rudloff (prudloff)"
            }
          ],
          "datePublic": "2026-06-24T18:48:15.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:44:55.591Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-063"
            }
          ],
          "title": "Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-13243",
        "datePublished": "2026-07-10T21:44:55.591Z",
        "dateReserved": "2026-06-24T18:00:16.032Z",
        "dateUpdated": "2026-07-10T21:44:55.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13242 (GCVE-0-2026-13242)

    Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
    VLAI
    Title
    Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0.
    Severity
    No CVSS data available.
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Geolocation Field Affected: 0.0.0 , < 3.15.0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 18:46
    Credits
    Michael Maturi (michaelmaturi) Michael Maturi (michaelmaturi) Christian Adamski (christianadamski) cilefen (cilefen) Neil Drumm (drumm) Greg Knaddison (greggles) Drew Webber (mcdruid) Juraj Nemec (poker10)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/geolocation",
              "product": "Geolocation Field",
              "repo": "https://git.drupalcode.org/project/geolocation",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "3.15.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Maturi (michaelmaturi)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Michael Maturi (michaelmaturi)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Christian Adamski (christianadamski)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "cilefen  (cilefen)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Neil Drumm (drumm)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Drew Webber (mcdruid)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            }
          ],
          "datePublic": "2026-06-24T18:46:12.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:44:54.721Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-062"
            }
          ],
          "title": "Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-13242",
        "datePublished": "2026-07-10T21:44:54.721Z",
        "dateReserved": "2026-06-24T18:00:15.050Z",
        "dateUpdated": "2026-07-10T21:44:54.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13241 (GCVE-0-2026-13241)

    Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
    VLAI
    Title
    Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
    Summary
    Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Paragraphs Affected: 0.0.0 , < 1.21.0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 18:43
    Credits
    Mustafa Ahmed (mustafa007) Sascha Grossenbacher (berdir) Greg Knaddison (greggles) Juraj Nemec (poker10)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/paragraphs",
              "product": "Paragraphs",
              "repo": "https://git.drupalcode.org/project/paragraphs",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.21.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mustafa Ahmed (mustafa007)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Sascha Grossenbacher (berdir)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Juraj Nemec (poker10)"
            }
          ],
          "datePublic": "2026-06-24T18:43:16.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-87",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-87 Forceful Browsing"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:44:53.879Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-061"
            }
          ],
          "title": "Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-13241",
        "datePublished": "2026-07-10T21:44:53.879Z",
        "dateReserved": "2026-06-24T18:00:14.145Z",
        "dateUpdated": "2026-07-10T21:44:53.879Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13240 (GCVE-0-2026-13240)

    Vulnerability from nvd – Published: 2026-07-10 21:44 – Updated: 2026-07-10 21:44
    VLAI
    Title
    Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
    Summary
    Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Drupal Paragraphs Affected: 0.0.0 , < 1.21.0 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 18:42
    Credits
    Pierre Rudloff (prudloff) Sascha Grossenbacher (berdir) Pierre Rudloff (prudloff) Greg Knaddison (greggles) Pierre Rudloff (prudloff)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.drupal.org/project/paragraphs",
              "product": "Paragraphs",
              "repo": "https://git.drupalcode.org/project/paragraphs",
              "vendor": "Drupal",
              "versions": [
                {
                  "lessThan": "1.21.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pierre Rudloff (prudloff)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Sascha Grossenbacher (berdir)"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Pierre Rudloff (prudloff)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Greg Knaddison (greggles)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Pierre Rudloff (prudloff)"
            }
          ],
          "datePublic": "2026-06-24T18:42:30.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-87",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-87 Forceful Browsing"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T21:44:53.011Z",
            "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
            "shortName": "drupal"
          },
          "references": [
            {
              "url": "https://www.drupal.org/sa-contrib-2026-060"
            }
          ],
          "title": "Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "assignerShortName": "drupal",
        "cveId": "CVE-2026-13240",
        "datePublished": "2026-07-10T21:44:53.011Z",
        "dateReserved": "2026-06-24T18:00:13.250Z",
        "dateUpdated": "2026-07-10T21:44:53.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }