Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052

Date: 
2026-June-24
CVE IDs: 
CVE-2026-13232

This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote.

The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "give feedback". Note: "give feedback" is granted to anonymous and authenticated by default on install.

Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051

Date: 
2026-June-24
CVE IDs: 
CVE-2026-13231

This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses.

The module doesn't sufficiently sanitize several administrator-configured response messages (the "Yes response", "No response", and the custom text shown on a "No" answer) under the scenario where those settings contain HTML or script markup, which is then emitted as raw HTML in the feedback response shown to visitors.

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55808

The JSON:API and REST modules allow you to upload image files to image fields.

The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.

Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.

Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55807

The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery.

The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL.

Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55806

Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.

This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.

Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55804

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.

This issue is not directly exploitable.

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55803

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55810

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library.

The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049

Date: 
2026-June-17
CVE IDs: 
CVE-2026-55809

The Flag attendance field module gives you the ability to add attendance by depending on Flag module.

flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.

Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

Date: 
2026-June-17
CVE IDs: 
CVE-2026-12535

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis.

formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.

Pages

Subscribe with RSS Subscribe to Security advisories