Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions advisories/admin_feedback/DRUPAL-CONTRIB-2026-051.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CONTRIB-2026-051",
"modified": "2026-06-24T18:32:15.000Z",
"published": "2026-06-24T18:32:15.000Z",
"aliases": [
"CVE-2026-13231"
],
"details": "This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses.\n\nThe module doesn't sufficiently sanitize several administrator-configured response messages (the \"Yes response\", \"No response\", and the custom text shown on a \"No\" answer) under the scenario where those settings contain HTML or script markup, which is then emitted as raw HTML in the feedback response shown to visitors.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer admin feedback\".",
"affected": [
{
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/admin_feedback"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0"
}
],
"database_specific": {
"constraint": "<2.8.0"
}
}
],
"database_specific": {
"affected_versions": "<2.8.0"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-051"
}
],
"credits": [
{
"name": "Bill Seremetis (bserem)",
"contact": [
"https://www.drupal.org/u/bserem"
]
}
]
}
52 changes: 52 additions & 0 deletions advisories/admin_feedback/DRUPAL-CONTRIB-2026-052.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CONTRIB-2026-052",
"modified": "2026-06-24T18:35:16.000Z",
"published": "2026-06-24T18:35:16.000Z",
"aliases": [
"CVE-2026-13232"
],
"details": "This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote.\n\nThe module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"give feedback\". Note: \"give feedback\" is granted to anonymous and authenticated by default on install.",
"affected": [
{
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/admin_feedback"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0"
}
],
"database_specific": {
"constraint": "<2.8.0"
}
}
],
"database_specific": {
"affected_versions": "<2.8.0"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-052"
}
],
"credits": [
{
"name": "Bill Seremetis (bserem)",
"contact": [
"https://www.drupal.org/u/bserem"
]
}
]
}
80 changes: 80 additions & 0 deletions advisories/ai/DRUPAL-CONTRIB-2026-054.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CONTRIB-2026-054",
"modified": "2026-06-24T18:36:54.000Z",
"published": "2026-06-24T18:36:54.000Z",
"aliases": [
"CVE-2026-13234"
],
"details": "The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.\n\nUnder certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secret communications in the context of the LLM request.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to inject text into prompts to create an attack.",
"affected": [
{
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/ai"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.17"
}
],
"database_specific": {
"constraint": "<1.2.17"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.8"
}
],
"database_specific": {
"constraint": ">=1.3.0 <1.3.8"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.3"
}
],
"database_specific": {
"constraint": ">=1.4.0 <1.4.3"
}
}
],
"database_specific": {
"affected_versions": "<1.2.17 || >=1.3.0 <1.3.8 || >=1.4.0 <1.4.3"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-054"
}
],
"credits": [
{
"name": "Drew Webber (mcdruid)",
"contact": [
"https://www.drupal.org/u/mcdruid"
]
}
]
}
86 changes: 86 additions & 0 deletions advisories/ai/DRUPAL-CONTRIB-2026-055.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CONTRIB-2026-055",
"modified": "2026-06-24T18:37:45.000Z",
"published": "2026-06-24T18:37:45.000Z",
"aliases": [
"CVE-2026-13235"
],
"details": "This module enables you to utilize an agent to use Drupal core actions tools with bypassed access.\n\nCertain Drupal core actions, exposed as agent tools did not have correct access validation, and some core actions were missing associated access-level definitions.\n\nThis vulnerability is mitigated by the fact that an attacker must have access to communicate with an affected agent, the site must be configured to expose the affected tools to non-privileged users.",
"affected": [
{
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/ai"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.17"
}
],
"database_specific": {
"constraint": "<1.2.17"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.8"
}
],
"database_specific": {
"constraint": ">=1.3.0 <1.3.8"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.3"
}
],
"database_specific": {
"constraint": ">=1.4.0 <1.4.3"
}
}
],
"database_specific": {
"affected_versions": "<1.2.17 || >=1.3.0 <1.3.8 || >=1.4.0 <1.4.3"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-055"
}
],
"credits": [
{
"name": "AKHIL BABU (akhil babu)",
"contact": [
"https://www.drupal.org/u/akhil-babu"
]
},
{
"name": "Kuniyoshi Noguchi (kuninogu)",
"contact": [
"https://www.drupal.org/u/kuninogu"
]
}
]
}
80 changes: 80 additions & 0 deletions advisories/ai_agents/DRUPAL-CONTRIB-2026-056.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CONTRIB-2026-056",
"modified": "2026-06-24T18:38:33.000Z",
"published": "2026-06-24T18:38:33.000Z",
"aliases": [
"CVE-2026-13236"
],
"details": "This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools.\n\nThe module does not sufficiently check the required permissions when a tool loads content entities.\n\nThis vulnerability is mitigated by the fact that an agent must be configured to use the affected tool, and an attacker must have access to that agent.",
"affected": [
{
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/ai_agents"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4"
}
],
"database_specific": {
"constraint": "<1.1.4"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.5"
}
],
"database_specific": {
"constraint": ">=1.2.0 <1.2.5"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.1"
}
],
"database_specific": {
"constraint": ">=1.3.0 <1.3.1"
}
}
],
"database_specific": {
"affected_versions": "<1.1.4 || >=1.2.0 <1.2.5 || >=1.3.0 <1.3.1"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-056"
}
],
"credits": [
{
"name": "Kuniyoshi Noguchi (kuninogu)",
"contact": [
"https://www.drupal.org/u/kuninogu"
]
}
]
}
Loading