Show advisories for only Drupal core, only PSAs, or all security advisories

Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by community members.

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Date: 
2026-May-13
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-8495

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

Date: 
2026-May-13
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-8493

This module enables you to open content already on the page within a colorbox.

The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

Date: 
2026-May-13
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-8492

The GTranslate module provides a language switcher widget for Drupal sites.

The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Date: 
2026-May-13
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-8491

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

Date: 
2026-April-22
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-6871

This module enables you to obfuscate email addresses in content.

The module doesn't sufficiently sanitize user input via the Twig filter.

This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.

Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032

Date: 
2026-April-08
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-6095

The IframeConsent element writes HTML attributes without escaping their value.

This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Date: 
2026-April-01
Security risk: 
Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-5343

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

Date: 
2026-March-18
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-4393

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

Date: 
2026-March-11
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-4933

This module creates permissions per node content type to control access to unpublished nodes per content type.

The module does not consistently control access for unpublished translated nodes.

AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

Date: 
2026-March-11
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3573

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the context of the LLM request.

Pages

Subscribe with RSS Subscribe to Security advisories for contributed projects