Show advisories for only Drupal core, only PSAs, or all security advisories
Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by community members.
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page.
The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios.
This vulnerability is mitigated by the fact that an attacker must have a role that permits them to enter HTML content.
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
This module enables you to test and run AI-driven workflows interactively through a chat interface.
The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows that were not intended by the user.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer FlowDrop workflows" (or the equivalent "Create FlowDrop workflows" / "Edit FlowDrop workflows" permissions).
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
This module enables you to test and run AI-driven workflows interactively through a chat interface.
The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution (incurring LLM spend and tool side effects) or send messages into other user's sessions.
This vulnerability is mitigated by the fact that an attacker must have the permission "View any session", which is not granted to anonymous or authenticated users by default.
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
The Canvas module allow you to upload image files via a custom API.
The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.
Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat.
These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting (XSS).
Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064
The Tealium iQ Tag Management module provides Drupal integration with Tealium iQ.
tealiumiq stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.
Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
The Salesforce Suite of modules integrates Drupal with Salesforce.
The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account.
Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
Geolocation modules adds a field to store coordinates and provides supporting plumbing for views and other modules.
One of the provided views filters does not sufficiently sanitize values if exposed to user input resulting in a SQL injection vulnerability.
This vulnerability is mitigated by the fact that a view must exist, that uses the aforementioned filter and it is set to accept user input.
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places.
The module doesn't sufficiently restrict access to direct child paragraphs of library items through API endpoints.
This vulnerability is mitigated by the fact the paragraphs_library module must be in use and general write access to paragraphs through another module must be allowed.
Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places.
The module doesn't sufficiently restrict access to unpublished library items in lists.
This vulnerability is mitigated by the fact the paragraphs_library module must be in use, and that an attacker must have access to a list of library items, such as a field with autocomplete suggestions or a view.