[CIVN-2026-0113] Multiple Vulnerabilities in Drupal Modules
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in Drupal Modules
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
Drupal core versions prior to 2.0.4
Drupal core versions prior to 1.2.1
Drupal core versions prior to 1.2.49
Drupal core versions prior to 9.7.0
Drupal core versions prior to 1.17.0
Drupal core versions prior to 2.17.5
Drupal core versions prior to 1.1.1
Drupal core versions prior to 3.1.3
Drupal core versions prior to 2.0.2
Overview
Multiple vulnerabilities have been reported in Drupal core which allow a remote attacker to obtain sensitive information, execute arbitrary code, bypass access controls or perform cross site scripting attacks on the targeted system.
Target Audience:
All end-user organizations and individuals using Drupal.
Risk Assessment:
Risk of remote code execution, unauthorized access to sensitive information.
Impact Assessment:
Potential compromise of system and unauthorized access to sensitive information.
Description
Drupal is an open-source, content management system (CMS) and web application framework written in PHP.
Multiple vulnerabilities exist in Drupal core due to improper sanitization of user-supplied inputs, improper sanitization of URI paths, insufficient checking for certain user fields before rendering them inside JavaScript templates, used security tokens are not properly invalidated. A remote attacker could exploit these vulnerabilities by sending specially crafted inputs.
Successful exploitation of these vulnerabilities could allow a remote attacker to trigger remote code execution, perform cross-site scripting, bypass access controls and can obtain sensitive information on the targeted system.
Solution
Apply appropriate updates as mentioned by the vendor:
https://www.drupal.org/sa-contrib-2026-012
https://www.drupal.org/sa-contrib-2026-011
https://www.drupal.org/sa-contrib-2026-013
https://www.drupal.org/sa-contrib-2026-014
https://www.drupal.org/sa-contrib-2026-015
https://www.drupal.org/sa-contrib-2026-016
https://www.drupal.org/sa-contrib-2026-017
https://www.drupal.org/sa-contrib-2026-018
https://www.drupal.org/sa-contrib-2026-019
Vendor Information
Drupal
https://www.drupal.org/sa-contrib-2026-012
https://www.drupal.org/sa-contrib-2026-011
https://www.drupal.org/sa-contrib-2026-013
https://www.drupal.org/sa-contrib-2026-014
https://www.drupal.org/sa-contrib-2026-015
https://www.drupal.org/sa-contrib-2026-016
https://www.drupal.org/sa-contrib-2026-017
https://www.drupal.org/sa-contrib-2026-018
https://www.drupal.org/sa-contrib-2026-019
References
Drupal
https://www.drupal.org/sa-contrib-2026-012
https://www.drupal.org/sa-contrib-2026-011
https://www.drupal.org/sa-contrib-2026-013
https://www.drupal.org/sa-contrib-2026-014
https://www.drupal.org/sa-contrib-2026-015
https://www.drupal.org/sa-contrib-2026-016
https://www.drupal.org/sa-contrib-2026-017
https://www.drupal.org/sa-contrib-2026-018
https://www.drupal.org/sa-contrib-2026-019
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmpmPIACgkQ3jCgcSdc
ys8Iew//aaIYDIW2RvwqRrqCsF/8z4RbQpts60aIyQYt6BHzjqD1todIpJspwWrd
fszN8LdKJJJNMWeyNUMuHbpYovVF72Rgashyuoc/KUSrfym2QXZMOeb01c+NUP4e
y/fEh74++QM5s8gJpIbEDiLzCKW/XYuFmwJ/3PUEzptOgLmrROs+Wmegwz5S6Gi7
4CWJOA2gsgUuG5nJfTuuWwKB67AE0I3sSc9o8tkHNB8qyltub4et+IeOruII9jX2
K43yNOFkbg+1hZIJLpwoUn4bmpTvd+hUK0eTUCy0AgaPVgFNzD6xNvh8Nc1EEc4g
FQKUvckz0Fp1C8AdP8ZmptOC2pMdbcp/rcM7zfQ3TsET7xBeF0ysLD9Xm5fppgGJ
e4RgEIqJv/ENBp0z2Hp3X52e22yOtNXbXqoRVTV351QK35+LXSRsPcrQDbi+vk8v
0+/0vL4b364iF9oye4NSk5PTy+BRBdRSuMc5Q2sduo+frtg2T7l+uzbB46n1bJtC
/kUJ2w5NKTBbqGD8AdTy3wj/U8Z3Unt0yhnIX/bDbIynvfpbKa2wzUJ/leRAyF5m
m0XEHMTmvzvQBb7nkli+CCybqHLkOpmmVOHQ9BpJdU6W4QOBzD/isFMRxB7cdW7i
tuycXIp6InBTf5b9d9GDxjulxMkua6iWoenCeurxbmx/9pXyZjA=
=nHAL
—–END PGP SIGNATURE—–
![[CIVN-2026-0115] Multiple Vulnerabilities in Google ChromeOS / ChromeOS Flex](https://teamwin.in/wp-content/uploads/2025/06/certin-new-e1751351599950-500x383.png)
