Show advisories for only Drupal Core, only contributed projects, or only PSAs

Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042

Date: 
2026-June-03
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-10770

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041

Date: 
2026-June-03
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-10769

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

Date: 
2026-June-03
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-49977

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

Date: 
2026-June-03
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-10768

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview.

The module doesn't sufficiently restrict access to a view of Service Contacts at which exposes the names and content items assigned to each Service Contact.

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

Date: 
2026-May-27
Security risk: 
Highly critical 22 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-9726

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Date: 
2026-May-20
Security risk: 
Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Uncommon
CVE IDs: 
CVE-2026-9082

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18

Date: 
2026-May-18
Security risk: 
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Date: 
2026-May-13
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-8495

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Date: 
2026-May-13
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-8493

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

Date: 
2026-May-13
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-8492

The GTranslate module provides a language switcher widget for Drupal sites.

The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.

Pages

Subscribe with RSS Subscribe to Security advisories