DrupalSecurityTeam
diff --git a/‎advisories/canvas/DRUPAL-CONTRIB-2026-017.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/canvas/DRUPAL-CONTRIB-2026-017.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/captcha/DRUPAL-CONTRIB-2026-015.json‎
Lines changed: 84 additions & 0 deletions b/‎advisories/captcha/DRUPAL-CONTRIB-2026-015.json‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎advisories/cleantalk/DRUPAL-CONTRIB-2026-014.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/cleantalk/DRUPAL-CONTRIB-2026-014.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/islandora/DRUPAL-CONTRIB-2026-016.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/islandora/DRUPAL-CONTRIB-2026-016.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/material_icons/DRUPAL-CONTRIB-2026-011.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/material_icons/DRUPAL-CONTRIB-2026-011.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/miniorange_saml/DRUPAL-CONTRIB-2026-018.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/miniorange_saml/DRUPAL-CONTRIB-2026-018.json‎
Lines changed: 52 additions & 0 deletions
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-017",
+  "modified": "2026-02-25T18:51:01.000Z",
+  "published": "2026-02-25T18:51:01.000Z",
+  "aliases": [
+    "CVE-2026-3216"
+  ],
+  "details": "This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers.\n\nThe project has a hidden sub-module, **Drupal Canvas AI**, which is disabled by default. It is typically enabled as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush). When the submodule is enabled, the following vulnerability is exposed.\n\nThe module doesn't sufficiently sanitize user-supplied data via crafted API requests within the messages JSON payload.\n\nIt is mitigated by the fact that an attacker must have a role with the permission \"use Drupal Canvas AI\".\n\n**How the Canvas AI sub-module gets enabled:** As a hidden submodule, `canvas_ai` is not intended for manual activation via the UI. It is designed to be pulled in as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush).",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/canvas"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.1"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.1.1"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.1.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-017"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber (mcdruid)",
+      "contact": [
+        "https://www.drupal.org/u/mcdruid"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-015",
+  "modified": "2026-02-25T18:47:57.000Z",
+  "published": "2026-02-25T18:47:57.000Z",
+  "aliases": [
+    "CVE-2026-3214"
+  ],
+  "details": "This module enables you to protect web forms from automated spam by requiring users to pass a challenge.\n\nThe module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions.\n\nThis vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/captcha"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.17.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.17.0"
+          }
+        },
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.0.10"
+            }
+          ],
+          "database_specific": {
+            "constraint": ">=2.0.0 < 2.0.10"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.17.0 || >=2.0.0 < 2.0.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-015"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Andrew Belcher (andrewbelcher)",
+      "contact": [
+        "https://www.drupal.org/u/andrewbelcher"
+      ]
+    },
+    {
+      "name": "Chris Dudley (dudleyc)",
+      "contact": [
+        "https://www.drupal.org/u/dudleyc"
+      ]
+    },
+    {
+      "name": "Tim Wood (timwood)",
+      "contact": [
+        "https://www.drupal.org/u/timwood"
+      ]
+    },
+    {
+      "name": "tamasd",
+      "contact": [
+        "https://www.drupal.org/u/tamasd"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-014",
+  "modified": "2026-02-25T18:46:10.000Z",
+  "published": "2026-02-25T18:46:10.000Z",
+  "aliases": [
+    "CVE-2026-3213"
+  ],
+  "details": "This module enables you to block bots by Firewall.\n\nThe module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are \"challenged\" or blocked by the firewall.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/cleantalk"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.7.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<9.7.0"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<9.7.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-014"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber (mcdruid)",
+      "contact": [
+        "https://www.drupal.org/u/mcdruid"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-016",
+  "modified": "2026-02-25T18:49:59.000Z",
+  "published": "2026-02-25T18:49:59.000Z",
+  "aliases": [
+    "CVE-2026-3215"
+  ],
+  "details": "This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.\n\nThe module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"create media\" and the ability to edit the node the media is being attached to.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/islandora"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.17.5"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.17.5"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.17.5"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-016"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber (mcdruid)",
+      "contact": [
+        "https://www.drupal.org/u/mcdruid"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-011",
+  "modified": "2026-02-25T18:43:32.000Z",
+  "published": "2026-02-25T18:43:32.000Z",
+  "aliases": [
+    "CVE-2026-3210"
+  ],
+  "details": "This module enables you to add icons to CKEditor.\n\nThe module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/material_icons"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.4"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.0.4"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.0.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-011"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Jen M (jannakha)",
+      "contact": [
+        "https://www.drupal.org/u/jannakha"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-018",
+  "modified": "2026-02-25T18:51:26.000Z",
+  "published": "2026-02-25T18:51:26.000Z",
+  "aliases": [
+    "CVE-2026-3217"
+  ],
+  "details": "This module enables you to perform SAML protocol-based single sign-on (SSO) on a Drupal site.\n\nThe module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting (XSS) vulnerability.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/miniorange_saml"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.3"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<3.1.3"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<3.1.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-018"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber (mcdruid)",
+      "contact": [
+        "https://www.drupal.org/u/mcdruid"
+      ]
+    }
+  ]
+}