Security advisories | Drupal.org

Security advisories | Drupal.org
Skip to search
Can we use first and third party cookies and web beacons to
understand our audience, and to tailor promotions you see
Security advisories
Show advisories for
only Drupal Core
only contributed projects
, or
only
PSAs
Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
Date:
2026-April-22
Security risk:
Moderately critical
12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs:
CVE-2026-6871
This module enables you to obfuscate email addresses in content.
The module doesn't sufficiently sanitize user input via the Twig filter.
This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using the module's Twig filter.
about Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Date:
2026-April-15
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs:
CVE-2026-6367
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
about Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Date:
2026-April-15
Security risk:
Moderately critical
14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs:
CVE-2026-6366
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.
This issue is not directly exploitable.
about Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Date:
2026-April-15
Security risk:
Critical
15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs:
CVE-2026-6365
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.
about Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032
Date:
2026-April-08
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs:
CVE-2026-6095
The IframeConsent element writes HTML attributes without escaping their value.
This module has a XSS vulnerability. If an attacker is able to write an

tag, they may be able to insert arbitrary JavaScript.
about Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031
Date:
2026-April-01
Security risk:
Critical
19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs:
CVE-2026-5343
This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.
The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.
about SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031
Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Date:
2026-March-18
Security risk:
Moderately critical
10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs:
CVE-2026-4393
This module provides a site administrator the ability to log users out after a specified time of inactivity.
The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.
about Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
Date:
2026-March-11
Security risk:
Critical
15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs:
CVE-2026-4933
This module creates permissions per node content type to control access to unpublished nodes per content type.
The module does not consistently control access for unpublished translated nodes.
about Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
Date:
2026-March-11
Security risk:
Moderately critical
11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs:
CVE-2026-3573
The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.
Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the context of the LLM request.
about AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Date:
2026-March-04
Security risk:
Less critical
9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs:
CVE-2026-3532
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.
about OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Pages
next ›
last »
Subscribe with RSS
In addition to the
news page and sub-tabs
, all security announcements are posted to an email list. To subscribe to email: log in, go to
your user profile page
and subscribe to the security newsletter on the
Edit » My newsletters
tab.
You can also get rss feeds for
core
contrib
, or
public service announcements
or follow
drupalsecurity@drupal.community
on Mastodon or
@drupalsecurity on Bluesky
Contacting the Security team
In order to report a security issue, or to learn more about the security team, please see the
Security team
handbook page.
Writing secure code
If you are a Drupal developer, please read the handbook section on
Writing secure code
Drupal Steward
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.
News items
News
Planet Drupal
Social media
Sign up for Drupal news
Security advisories
Jobs
Our community
Community
Services
Training
Hosting
Contributor guide
Groups & meetups
DrupalCon
Code of conduct
Documentation
Documentation
Drupal Guide
Drupal User Guide
Developer docs
API.Drupal.org
Drupal code base
Download & Extend
Drupal core
Modules
Themes
Distributions
Governance of community
About
Web accessibility
Drupal Association
About Drupal.org
Drupal is a
registered trademark
of
Dries Buytaert