Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions advisories/core/DRUPAL-CORE-2026-010.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CORE-2026-010",
"modified": "2026-07-15T19:50:24.000Z",
"published": "2026-07-15T19:50:24.000Z",
"aliases": [
"CVE-2026-15916"
],
"details": "The Image module allows you to define and configure image fields.\n\nThe module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than `private://`.\n\nThis vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.\n\nInformation disclosure issues like this one are not generally given security advisories (as described in [PSA-2023-07-12)](https://www.drupal.org/psa-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "10.6.13"
}
],
"database_specific": {
"constraint": "<10.6.13"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.3.0"
},
{
"fixed": "11.3.14"
}
],
"database_specific": {
"constraint": ">=11.3.0 <11.3.14"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.4.0"
},
{
"fixed": "11.4.4"
}
],
"database_specific": {
"constraint": ">=11.4.0 <11.4.4"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.0"
}
],
"database_specific": {
"constraint": "11.0.*"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.2.0"
}
],
"database_specific": {
"constraint": "11.1.*"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.2.0"
},
{
"fixed": "11.3.0"
}
],
"database_specific": {
"constraint": "11.2.*"
}
}
],
"database_specific": {
"affected_versions": "<10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2026-010"
}
],
"credits": [
{
"name": "offensive-ai",
"contact": [
"https://www.drupal.org/u/offensive-ai"
]
}
]
}
80 changes: 80 additions & 0 deletions advisories/core/DRUPAL-CORE-2026-011.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CORE-2026-011",
"modified": "2026-07-15T19:51:57.000Z",
"published": "2026-07-15T19:51:57.000Z",
"aliases": [
"CVE-2026-15917"
],
"details": "Drupal core 11.2 and above integrate the HTMX JavaScript library.\n\nDrupal core's XSS filter does not sufficiently sanitize certain HTMX attributes, which can lead to a cross-site scripting (XSS) vulnerability.\n\nThe vulnerability is mitigated by the fact an attacker must be able to insert HTML with specific attributes.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.3.0"
},
{
"fixed": "11.3.14"
}
],
"database_specific": {
"constraint": ">=11.3.0 <11.3.14"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.4.0"
},
{
"fixed": "11.4.4"
}
],
"database_specific": {
"constraint": ">=11.4.0 <11.4.4"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.2.0"
},
{
"fixed": "11.3.0"
}
],
"database_specific": {
"constraint": "11.2.*"
}
}
],
"database_specific": {
"affected_versions": ">=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.2.*"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2026-011"
}
],
"credits": [
{
"name": "Pierre Rudloff (prudloff)",
"contact": [
"https://www.drupal.org/u/prudloff"
]
}
]
}
122 changes: 122 additions & 0 deletions advisories/core/DRUPAL-CORE-2026-012.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
{
"schema_version": "1.7.0",
"id": "DRUPAL-CORE-2026-012",
"modified": "2026-07-15T19:52:26.000Z",
"published": "2026-07-15T19:52:26.000Z",
"aliases": [
"CVE-2026-55805"
],
"details": "The Layout Builder module doesn't sufficiently sanitize block labels in certain scenarios, which can lead to a cross-site scripting (XSS) vulnerability.\n\nThis is mitigated by the fact that both the attacker and the targeted user need to be using the Layout Builder editing interface.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "10.6.13"
}
],
"database_specific": {
"constraint": "<10.6.13"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.3.0"
},
{
"fixed": "11.3.14"
}
],
"database_specific": {
"constraint": ">=11.3.0 <11.3.14"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.4.0"
},
{
"fixed": "11.4.4"
}
],
"database_specific": {
"constraint": ">=11.4.0 <11.4.4"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.0"
}
],
"database_specific": {
"constraint": "11.0.*"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.2.0"
}
],
"database_specific": {
"constraint": "11.1.*"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "11.2.0"
},
{
"fixed": "11.3.0"
}
],
"database_specific": {
"constraint": "11.2.*"
}
}
],
"database_specific": {
"affected_versions": "<10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2026-012"
}
],
"credits": [
{
"name": "haii haii (hai27ii2o)",
"contact": [
"https://www.drupal.org/u/hai27ii2o"
]
}
]
}