Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044

Date: 
2026-June-10
CVE IDs: 
CVE-2026-11909

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.

The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.

Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

Date: 
2026-June-10
CVE IDs: 
CVE-2026-11908

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042

Date: 
2026-June-03
CVE IDs: 
CVE-2026-10770

This module provides spam protection using the CleanTalk cloud service.

The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.

Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041

Date: 
2026-June-03
CVE IDs: 
CVE-2026-10769

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).

This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

Date: 
2026-June-03
CVE IDs: 
CVE-2026-49977

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

Date: 
2026-June-03
CVE IDs: 
CVE-2026-10768

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview.

The module doesn't sufficiently restrict access to a view of Service Contacts at which exposes the names and content items assigned to each Service Contact.

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

Date: 
2026-May-27
CVE IDs: 
CVE-2026-9726

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Date: 
2026-May-20
CVE IDs: 
CVE-2026-9082

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18

Date: 
2026-May-18

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Date: 
2026-May-13
CVE IDs: 
CVE-2026-8495

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Pages

Subscribe with RSS Subscribe to Security advisories