Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
https://www.drupal.org/sa-contrib-2026-063
Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
The Salesforce Suite of modules integrates Drupal with Salesforce. The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account. This vulnerability is mitigated by the fact that salesforce_oauth submodule must be enabled, and a
Tealium iQ Tag Management - Critical - Unsupported - SA-CONTRIB-2026-064
https://www.drupal.org/sa-contrib-2026-064
Tealium iQ Tag Management - Critical - Unsupported - SA-CONTRIB-2026-064
The security team is marking the Tealium iQ Tag Management module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
https://www.drupal.org/sa-contrib-2026-062
Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
Geolocation modules adds a field to store coordinates and provides supporting plumbing for views and other modules. One of the provided views filters does not sufficiently sanitize values if exposed to user input resulting in a SQL injection vulnerability. This vulnerability is mitigated by the fact that a view must exist, that uses the aforementioned filter and it is set to
AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057
https://www.drupal.org/sa-contrib-2026-057
AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. Under certain circumstances, the agent inherits deterministic parameters when invoking the same tool in one request, which can lead to information disclosure.
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
https://www.drupal.org/sa-contrib-2026-061
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to direct child paragraphs of library items through API endpoints. This vulnerability is mitigated by the fact the paragraphs_library module must be in use and general write access to paragraphs through another module must be allowed.
Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058
https://www.drupal.org/sa-contrib-2026-058
Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058
This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect. When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment response returned by Global Payments. The lightbox payment method validates the
WissKI - Critical - Access bypass - SA-CONTRIB-2026-059
https://www.drupal.org/sa-contrib-2026-059
WissKI - Critical - Access bypass - SA-CONTRIB-2026-059
The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer. It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass. This vulnerability is mitigated by the fact that it is specific to the wisski_mirador submodule.
Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
https://www.drupal.org/sa-contrib-2026-060
Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to unpublished library items in lists. This vulnerability is mitigated by the fact the paragraphs_library module must be in use, and that an attacker must have access to a list of library items, such as a field with autocomplete suggestions
AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056
https://www.drupal.org/sa-contrib-2026-056
AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. The module does not sufficiently check the required permissions when a tool loads content entities. This vulnerability is mitigated by the fact that an agent must be configured to use the affected tool, and an attacker must have access to that agent.
AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054
https://www.drupal.org/sa-contrib-2026-054
AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054
The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secret communications in the context of the LLM request. This vulnerability is
