View online: https://www.drupal.org/sa-contrib-2026-011
Project: Material Icons [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <2.0.4 CVE IDs: CVE-2026-3210 Description: This module enables you to add icons to CKEditor.
The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.
Solution: Install the latest version and review permissions:
1) If you use the Material Icons module for Drupal, upgrade to Material Icons 2.0.4 [3]. 2) Assign the newly created "use material icons" permission to users who should have access to the widgets.
Reported By: * Jen M (jannakha) [4]
Fixed By: * Bryan Sharpe (b_sharpe) [5] * Jen M (jannakha) [6]
Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team * Ra Mänd (ram4nd) [10], provisional member of the Drupal Security Team * Jess (xjm) [11] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [12]
[1] https://www.drupal.org/project/material_icons [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/material_icons/releases/2.0.4 [4] https://www.drupal.org/u/jannakha [5] https://www.drupal.org/u/b_sharpe [6] https://www.drupal.org/u/jannakha [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/ram4nd [11] https://www.drupal.org/u/xjm [12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....