February 2026 - Security-news

Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-019 Project: Responsive Favicons [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site scripting Affected versions: <2.0.2 CVE IDs: CVE-2026-3218 Description: This module adds the favicons generated by realfavicongenerator.net to your Drupal site. The module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive favicons". Solution: Install the latest version, then confirm the permissions associated with the module are assigned to appropriate roles. * If you use the Responsive Favicons module version 2.0.1 or lower, upgrade to Responsive Favicons 2.0.2 [3]. * 4.x and 3.x branches are not affected by this vulnerability. Reported By: * Simon Bäse (simonbaese) [4] Fixed By: * Frank Mably (mably) [5] * Sean Hamlin (wiifm) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team * Jess (xjm) [9] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [10] [1] https://www.drupal.org/project/responsive_favicons [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/responsive_favicons/releases/2.0.2 [4] https://www.drupal.org/u/simonbaese [5] https://www.drupal.org/u/mably [6] https://www.drupal.org/u/wiifm [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://www.drupal.org/u/xjm [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-018 Project: SAML SSO - Service Provider [1] Date: 2026-February-25 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site scripting Affected versions: <3.1.3 CVE IDs: CVE-2026-3217 Description: This module enables you to perform SAML protocol-based single sign-on (SSO) on a Drupal site. The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting (XSS) vulnerability. Solution: Install the latest version: * If you are using the "SAML SSO- Service Provider" module for Drupal, upgrade to SAML SSO- Service Provider 3.1.3 [3]. Reported By: * Drew Webber (mcdruid) [4] of the Drupal Security Team Fixed By: * Sudhanshu Dhage (sudhanshu0542) [5] Coordinated By: * Drew Webber (mcdruid) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team * Jess (xjm) [8] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [9] [1] https://www.drupal.org/project/miniorange_saml [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/miniorange_saml/releases/3.1.3 [4] https://www.drupal.org/u/mcdruid [5] https://www.drupal.org/u/sudhanshu0542 [6] https://www.drupal.org/u/mcdruid [7] https://www.drupal.org/u/poker10 [8] https://www.drupal.org/u/xjm [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-017 Project: Drupal Canvas [1] Date: 2026-February-25 Security risk: *Moderately critical* 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Server-side request forgery, Information disclosure Affected versions: <1.1.1 CVE IDs: CVE-2026-3216 Description: This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers. The project has a hidden sub-module, *Drupal Canvas AI*, which is disabled by default. It is typically enabled as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush). When the submodule is enabled, the following vulnerability is exposed. The module doesn't sufficiently sanitize user-supplied data via crafted API requests within the messages JSON payload. It is mitigated by the fact that an attacker must have a role with the permission "use Drupal Canvas AI". *How the Canvas AI sub-module gets enabled:* As a hidden submodule, canvas_ai is not intended for manual activation via the UI. It is designed to be pulled in as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush). Solution: Install the latest version: * If you use the Drupal Canvas module, upgrade to Drupal Canvas 1.1.1 [3]. Sites witthout the hidden submodule enabled are not vulnerable. The module is hidden from the UI module list, but admins can verify its status via the command line: drush config:get core.extension | grep canvas_ai Reported By: * Drew Webber (mcdruid) [4] of the Drupal Security Team Fixed By: * Bálint Kléri (balintbrews) [5] * Ignacio Sánchez Holgueras (isholgueras) [6] * Drew Webber (mcdruid) [7] of the Drupal Security Team * Narendra Singh Rathore (narendrar) [8] * Christian López Espínola (penyaskito) [9] * Tim Plunkett (tim.plunkett) [10] Coordinated By: * Greg Knaddison (greggles) [11] of the Drupal Security Team * Drew Webber (mcdruid) [12] of the Drupal Security Team * Juraj Nemec (poker10) [13] of the Drupal Security Team * Jess (xjm) [14] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [15] [1] https://www.drupal.org/project/canvas [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/canvas/releases/1.1.1 [4] https://www.drupal.org/u/mcdruid [5] https://www.drupal.org/u/balintbrews [6] https://www.drupal.org/u/isholgueras [7] https://www.drupal.org/u/mcdruid [8] https://www.drupal.org/u/narendrar [9] https://www.drupal.org/u/penyaskito [10] https://www.drupal.org/u/timplunkett [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/mcdruid [13] https://www.drupal.org/u/poker10 [14] https://www.drupal.org/u/xjm [15] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-016 Project: Islandora [1] Date: 2026-February-25 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Arbitrary file upload, Cross-site scripting Affected versions: <2.17.5 CVE IDs: CVE-2026-3215 Description: This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment. The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create media" and the ability to edit the node the media is being attached to. Solution: Install the latest version: * If you use the Islandora module, upgrade to Islandora 2.17.5 [3]. Reported By: * Drew Webber (mcdruid) [4] of the Drupal Security Team Fixed By: * Joe Corall (joecorall) [5] * Rosie Le Faive (rosiel) [6] Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Drew Webber (mcdruid) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team * Jess (xjm) [11] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [12] [1] https://www.drupal.org/project/islandora [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/islandora/releases/2.17.5 [4] https://www.drupal.org/u/mcdruid [5] https://www.drupal.org/u/joecorall [6] https://www.drupal.org/u/rosiel [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/mcdruid [10] https://www.drupal.org/u/poker10 [11] https://www.drupal.org/u/xjm [12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-015 Project: CAPTCHA [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:All [2] Vulnerability: Access bypass Affected versions: <1.17.0 || >=2.0.0 < 2.0.10 CVE IDs: CVE-2026-3214 Description: This module enables you to protect web forms from automated spam by requiring users to pass a challenge. The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions. This vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens. Solution: Install the latest version: * If you use the Captcha module 2.0.x, upgrade to Captcha 2.0.10 [3]. * If you use the Captcha module 8.x-1.x, upgrade to Captcha 8.x-1.17 [4]. Reported By: * Andrew Belcher (andrewbelcher) [5] * Chris Dudley (dudleyc) [6] * tamasd [7] * Tim Wood (timwood) [8] Fixed By: * Joshua Sedler (grevil) [9] * Jakob P (japerry) [10] * Adam Nagy (joevagyok) [11] Coordinated By: * cilefen (cilefen) [12] of the Drupal Security Team * Damien McKenna (damienmckenna) [13] of the Drupal Security Team * Greg Knaddison (greggles) [14] of the Drupal Security Team * Michael Hess (mlhess) [15] of the Drupal Security Team * Juraj Nemec (poker10) [16] of the Drupal Security Team * Jess (xjm) [17] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [18] [1] https://www.drupal.org/project/captcha [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/captcha/releases/2.0.10 [4] https://www.drupal.org/project/captcha/releases/8.x-1.17 [5] https://www.drupal.org/u/andrewbelcher [6] https://www.drupal.org/u/dudleyc [7] https://www.drupal.org/u/tamasd [8] https://www.drupal.org/u/timwood [9] https://www.drupal.org/u/grevil [10] https://www.drupal.org/u/japerry [11] https://www.drupal.org/u/joevagyok [12] https://www.drupal.org/u/cilefen [13] https://www.drupal.org/u/damienmckenna [14] https://www.drupal.org/u/greggles [15] https://www.drupal.org/u/mlhess [16] https://www.drupal.org/u/poker10 [17] https://www.drupal.org/u/xjm [18] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-014 Project: Anti-Spam by CleanTalk [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross-site scripting Affected versions: <9.7.0 CVE IDs: CVE-2026-3213 Description: This module enables you to block bots by Firewall. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or blocked by the firewall. Solution: Install the latest version: * If you use the Anti-Spam by CleanTalk module for Drupal, upgrade to Anti-Spam by CleanTalk 9.7.0 [3]. Reported By: * Drew Webber (mcdruid) [4] of the Drupal Security Team Fixed By: * glomberg [5] * Drew Webber (mcdruid) [6] of the Drupal Security Team * sergefcleantalk [7] Coordinated By: * Damien McKenna (damienmckenna) [8] of the Drupal Security Team * Greg Knaddison (greggles) [9] of the Drupal Security Team * Drew Webber (mcdruid) [10] of the Drupal Security Team * Juraj Nemec (poker10) [11] of the Drupal Security Team * Jess (xjm) [12] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [13] [1] https://www.drupal.org/project/cleantalk [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/cleantalk/releases/9.7.0 [4] https://www.drupal.org/u/mcdruid [5] https://www.drupal.org/u/glomberg [6] https://www.drupal.org/u/mcdruid [7] https://www.drupal.org/u/sergefcleantalk [8] https://www.drupal.org/u/damienmckenna [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/mcdruid [11] https://www.drupal.org/u/poker10 [12] https://www.drupal.org/u/xjm [13] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-013 Project: Tagify [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site scripting Affected versions: <1.2.49 CVE IDs: CVE-2026-3212 Description: This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content. Solution: Install the latest version: * If you use the Tagify module, upgrade to Tagify 1.2.49 [3] or later. Reported By: * David López (akalam) [4] * Mingsong (mingsong) [5] provisional member of the Drupal Security Team Fixed By: * David López (akalam) [6] * David Galeano (gxleano) [7] * Mingsong (mingsong) [8] provisional member of the Drupal Security Team Coordinated By: * Damien McKenna (damienmckenna) [9] of the Drupal Security Team * Dan Smith (galooph) [10] of the Drupal Security Team * Greg Knaddison (greggles) [11] of the Drupal Security Team * Drew Webber (mcdruid) [12] of the Drupal Security Team * Jess (xjm) [13] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [14] [1] https://www.drupal.org/project/tagify [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tagify/releases/1.2.49 [4] https://www.drupal.org/u/akalam [5] https://www.drupal.org/u/mingsong [6] https://www.drupal.org/u/akalam [7] https://www.drupal.org/u/gxleano [8] https://www.drupal.org/u/mingsong [9] https://www.drupal.org/u/damienmckenna [10] https://www.drupal.org/u/galooph [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/mcdruid [13] https://www.drupal.org/u/xjm [14] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-012 Project: Theme Negotiation by Rules [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site request forgery Affected versions: <1.2.1 CVE IDs: CVE-2026-3211 Description: This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match. The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links. This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule. Solution: Install the latest version: * If you use the Theme Negotiation by Rules module, upgrade to Theme Negotiation by Rules 1.2.1 [3]. Reported By: * Juraj Nemec (poker10) [4] of the Drupal Security Team Fixed By: * Zoltan Attila Horvath (huzooka) [5] * Juraj Nemec (poker10) [6] of the Drupal Security Team Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team * Jess (xjm) [10] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [11] [1] https://www.drupal.org/project/theme_rule [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3575478 [4] https://www.drupal.org/u/poker10 [5] https://www.drupal.org/u/huzooka [6] https://www.drupal.org/u/poker10 [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/xjm [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
by security-news＠drupal.org 25 Feb '26

25 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-011 Project: Material Icons [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <2.0.4 CVE IDs: CVE-2026-3210 Description: This module enables you to add icons to CKEditor. The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios. Solution: Install the latest version and review permissions: 1) If you use the Material Icons module for Drupal, upgrade to Material Icons 2.0.4 [3]. 2) Assign the newly created "use material icons" permission to users who should have access to the widgets. Reported By: * Jen M (jannakha) [4] Fixed By: * Bryan Sharpe (b_sharpe) [5] * Jen M (jannakha) [6] Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team * Ra Mänd (ram4nd) [10], provisional member of the Drupal Security Team * Jess (xjm) [11] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [12] [1] https://www.drupal.org/project/material_icons [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/material_icons/releases/2.0.4 [4] https://www.drupal.org/u/jannakha [5] https://www.drupal.org/u/b_sharpe [6] https://www.drupal.org/u/jannakha [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/ram4nd [11] https://www.drupal.org/u/xjm [12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

UI Icons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-010
by security-news＠drupal.org 11 Feb '26

11 Feb '26

View online: https://www.drupal.org/sa-contrib-2026-010 Project: UI Icons [1] Date: 2026-February-11 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site Scripting Affected versions: <1.0.1 || >=1.1.0 <1.1.1 CVE IDs: CVE-2026-2349 Description: This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled. Solution: Install the latest version: * If you use the UI Icons module upgrade to UI Icons 1.0.1 [3] or UI Icons 1.1.1 [4] Reported By: * Drew Webber (mcdruid) [5] of the Drupal Security Team Fixed By: * Jean Valverde (mogtofu33) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Drew Webber (mcdruid) [8] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [9] [1] https://www.drupal.org/project/ui_icons [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ui_icons/releases/1.0.1 [4] https://www.drupal.org/project/ui_icons/releases/1.1.1 [5] https://www.drupal.org/u/mcdruid [6] https://www.drupal.org/u/mogtofu33 [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/mcdruid [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0