View online: https://www.drupal.org/sa-contrib-2026-003
Project: AT Internet SmartTag [1]
Date: 2026-January-14
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.0.1
CVE IDs: CVE-2026-0946
Description:
This module integrates the AT Internet SmartTag service.
The module does not filter administrator-entered text leading to a persistent
Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer atsmarttag".
Solution:
Install the latest version and confirm the permissions associated with the
module are assigned to appropriate roles.
* If you use the AT Internet SmartTag module for Drupal 9 and 10, upgrade to
AT Internet SmartTag 1.0.1 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Frank Mably (mably) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [8]
[1] https://www.drupal.org/project/atsmarttag
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/atsmarttag/releases/1.0.1
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/mably
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…
View online: https://www.drupal.org/sa-contrib-2026-002
Project: Role Delegation [1]
Date: 2026-January-14
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=1.3.0 <1.5.0
CVE IDs: CVE-2026-0945
Description:
This module allows site administrators to grant specific roles the authority
to assign selected roles to users, without them needing the "administer
permissions" permission.
The module contains an access bypass vulnerability when used in combination
with the Views Bulk Operations module. A user with the ability to delegate a
role is also able to assign the administrator role, including to their own
user.
This vulnerability is mitigated by the fact that an attacker must have access
to a view of users with the Views Bulk Operations module enabled.
Solution:
Install the latest version:
* If you use the Role Delegation module for Drupal ^10.3 || ^11, upgrade to
Role Delegation 8.x-1.5 [3]
Reported By:
* Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By:
* Adam Bramley (acbramley) [5]
* Dieter Holvoet (dieterholvoet) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Drew Webber (mcdruid) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [10]
[1] https://www.drupal.org/project/role_delegation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/role_delegation/releases/8.x-1.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/acbramley
[6] https://www.drupal.org/u/dieterholvoet
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/poker10
[10]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…