
[CIVN-2026-0366] Multiple vulnerabilities in Drupal products
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple vulnerabilities in Drupal products
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
Drupal Canvas AI submodule versions prior to 1.4.2, 1.5.0 to 1.5.1, 1.6.0, and 1.7.1.
FlowDrop module versions prior to 1.6.0.
Colorbox module versions prior to 2.1.5 and 2.2.1.
Overview
Multiple vulnerabilities have been reported in Drupal plugins, which could allow an attacker to perform cross-site scripting (XSS) attacks, bypass access restrictions, upload malicious files, and execute unauthorized access on the targeted system.
Target Audience:
All end-user organizations and individuals using the affected Drupal plugins.
Risk Assessment:
Risk of cross-site scripting attacks, bypass access restrictions, execution malicious file upload, and execute unauthorized access.
Impact Assessment:
Potential for unauthorized access to sensitive information, data theft, malicious file uploads, and full compromise of the affected system.
Description
Drupal is an open-source Content Management System (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.
Multiple vulnerabilities exist in Drupal Core due to improper validation, improper access control, and improper sanitization of user supplied input.
Successful exploitation of these vulnerabilities could allow could allow an attacker to perform cross-site scripting (XSS) attacks, bypass access restrictions, upload malicious files, and execute unauthorized access on the targeted system.
Solution
Apply appropriate updates as mentioned by the vendor:
https://www.drupal.org/sa-contrib-2026-065
https://www.drupal.org/sa-contrib-2026-066
https://www.drupal.org/sa-contrib-2026-067
https://www.drupal.org/sa-contrib-2026-068
https://www.drupal.org/sa-contrib-2026-069
Vendor Information
Drupal
https://www.drupal.org/sa-contrib-2026-065
https://www.drupal.org/sa-contrib-2026-066
https://www.drupal.org/sa-contrib-2026-067
https://www.drupal.org/sa-contrib-2026-068
https://www.drupal.org/sa-contrib-2026-069
References
Drupal
https://www.drupal.org/sa-contrib-2026-065
https://www.drupal.org/sa-contrib-2026-066
https://www.drupal.org/sa-contrib-2026-067
https://www.drupal.org/sa-contrib-2026-068
https://www.drupal.org/sa-contrib-2026-069
CVE Name
CVE-2026-58587
CVE-2026-58588
CVE-2026-58589
CVE-2026-58590
CVE-2026-58591
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpaK8UACgkQ3jCgcSdc
ys/YkQ//To8+RjctfVPLK6oxcIEhC3y3fxYrAqfwSCPnmJ0rLTKo3RUkaV/IfJ63
fjlEcaiMjCPmcVLSyrligaQdyjhOhc6XPksLbrFvYRRjmYW/g8pFIflTRxKTT5NC
JajgvRW6/A63WJkPjD/u24QjiUXm/7SeJ9aO9oBTOxK6dVAP1jG2NB0E40vuHXYW
vy+xDVi7ZwJo/tnk6vlkgEKx1iP0L/QZA54K89u71BpSTWuVMlEFfKinT27Ltxg/
RWgBmaJPHl5jYnQY6owdcJvMzl4y344K4U9v9bKtnfFs39vXoUOZrEONobzycWtD
A+WINbrphBooDHQcNk+TXgn+9KAxHVi3Z4if7TT/kap68/MyHxifSYdjhZs6CIaP
9UboQy5YZP93nx+LYR9Bjp/TamujHJyvVUy7R4lT/Mt7HmHVtxgdseYXIg0hbVth
f63DhYjGGKHsBGPM3jFOcn14ILxuQRkUVYlcXhcOqvfW/eU9Jqqi2guBkmfVvwlk
pTfBuFjqTHzEH5vbeG34HgoSBUNRp9QCWV1+pODXtGbQpcdzatW4GKgqTk/wdhNB
yjXgOhYJmCAd9+QrJc2cZ9xjDZdzZeMInr1nsjIrpl+Ja/FcaQOA8wYNoMKO1WjI
A/ChZrODvdK9CrFFDGw5KyHqWnFZHlC7at7fBU5GJeNKSEf+oOQ=
=1oW0
—–END PGP SIGNATURE—–


