diff --git a/advisories/core/DRUPAL-CORE-2026-010.json b/advisories/core/DRUPAL-CORE-2026-010.json new file mode 100644 index 00000000..5e90cdb8 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2026-010.json @@ -0,0 +1,122 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2026-010", + "modified": "2026-07-15T19:50:24.000Z", + "published": "2026-07-15T19:50:24.000Z", + "aliases": [ + "CVE-2026-15916" + ], + "details": "The Image module allows you to define and configure image fields.\n\nThe module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than `private://`.\n\nThis vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.\n\nInformation disclosure issues like this one are not generally given security advisories (as described in [PSA-2023-07-12)](https://www.drupal.org/psa-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.6.13" + } + ], + "database_specific": { + "constraint": "<10.6.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.3.0" + }, + { + "fixed": "11.3.14" + } + ], + "database_specific": { + "constraint": ">=11.3.0 <11.3.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.4.0" + }, + { + "fixed": "11.4.4" + } + ], + "database_specific": { + "constraint": ">=11.4.0 <11.4.4" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.0" + } + ], + "database_specific": { + "constraint": "11.0.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.1.0" + }, + { + "fixed": "11.2.0" + } + ], + "database_specific": { + "constraint": "11.1.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.2.0" + }, + { + "fixed": "11.3.0" + } + ], + "database_specific": { + "constraint": "11.2.*" + } + } + ], + "database_specific": { + "affected_versions": "<10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2026-010" + } + ], + "credits": [ + { + "name": "offensive-ai", + "contact": [ + "https://www.drupal.org/u/offensive-ai" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2026-011.json b/advisories/core/DRUPAL-CORE-2026-011.json new file mode 100644 index 00000000..e6f1a255 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2026-011.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2026-011", + "modified": "2026-07-15T19:51:57.000Z", + "published": "2026-07-15T19:51:57.000Z", + "aliases": [ + "CVE-2026-15917" + ], + "details": "Drupal core 11.2 and above integrate the HTMX JavaScript library.\n\nDrupal core's XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.\n\nThe vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.3.0" + }, + { + "fixed": "11.3.14" + } + ], + "database_specific": { + "constraint": ">=11.3.0 <11.3.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.4.0" + }, + { + "fixed": "11.4.4" + } + ], + "database_specific": { + "constraint": ">=11.4.0 <11.4.4" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.2.0" + }, + { + "fixed": "11.3.0" + } + ], + "database_specific": { + "constraint": "11.2.*" + } + } + ], + "database_specific": { + "affected_versions": ">=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.2.*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2026-011" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2026-012.json b/advisories/core/DRUPAL-CORE-2026-012.json new file mode 100644 index 00000000..38a636c6 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2026-012.json @@ -0,0 +1,122 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2026-012", + "modified": "2026-07-15T19:52:26.000Z", + "published": "2026-07-15T19:52:26.000Z", + "aliases": [ + "CVE-2026-55805" + ], + "details": "The Layout Builder module doesn't sufficiently sanitize block labels in certain scenarios, which can lead to a cross-site scripting (XSS) vulnerability.\n\nThis is mitigated by the fact that both the attacker and the targeted user need to be using the Layout Builder editing interface.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.6.13" + } + ], + "database_specific": { + "constraint": "<10.6.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.3.0" + }, + { + "fixed": "11.3.14" + } + ], + "database_specific": { + "constraint": ">=11.3.0 <11.3.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.4.0" + }, + { + "fixed": "11.4.4" + } + ], + "database_specific": { + "constraint": ">=11.4.0 <11.4.4" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.1.0" + } + ], + "database_specific": { + "constraint": "11.0.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.1.0" + }, + { + "fixed": "11.2.0" + } + ], + "database_specific": { + "constraint": "11.1.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.2.0" + }, + { + "fixed": "11.3.0" + } + ], + "database_specific": { + "constraint": "11.2.*" + } + } + ], + "database_specific": { + "affected_versions": "<10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2026-012" + } + ], + "credits": [ + { + "name": "haii haii (hai27ii2o)", + "contact": [ + "https://www.drupal.org/u/hai27ii2o" + ] + } + ] +}