[CIVN-2026-0300] Multiple Vulnerabilities in Drupal Plugins
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in Drupal Plugins
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
LocalGov Workflows versions prior to 1.6.0
Tacjs versions prior to 6.8
Commerce Core 3.3.0 versions prior to 3.3.6
Anti-Spam by CleanTalk versions prior to 9.7.1
Overview
Multiple vulnerabilities have been reported in Drupal modules, which could allow an attacker to disclose sensitive information, being able to delete arbitrary cookies and perform cross site scripting attacks on the targeted system.
Target Audience:
All end-user organizations and individuals using Drupal modules.
Risk Assessment:
Risk of cross site scripting attacks, unauthorized access.
Impact Assessment:
Potential for data theft, unauthorized access to sensitive information and potential compromise of system.
Description
Drupal is an open-source Content Management System (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.
Multiple vulnerabilities exist in Drupal module due to improper access control and improper sanitization of user supplied input.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, being able to delete arbitrary cookies and perform cross site scripting attacks on the targeted system.
Solution
Apply appropriate security updates as mentioned:
https://www.drupal.org/sa-contrib-2026-039
https://www.drupal.org/sa-contrib-2026-040
https://www.drupal.org/sa-contrib-2026-041
https://www.drupal.org/sa-contrib-2026-042
Vendor Information
Drupal
https://www.drupal.org/sa-contrib-2026-039
https://www.drupal.org/sa-contrib-2026-040
https://www.drupal.org/sa-contrib-2026-041
https://www.drupal.org/sa-contrib-2026-042
References
Drupal
https://www.drupal.org/sa-contrib-2026-039
https://www.drupal.org/sa-contrib-2026-040
https://www.drupal.org/sa-contrib-2026-041
https://www.drupal.org/sa-contrib-2026-042
CVE Name
CVE-2026-10768
CVE-2026-10769
CVE-2026-10770
CVE-2026-49977
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmopfjIACgkQ3jCgcSdc
ys/IZg/7BKey5R0Z3+I6pCQsJnDXuLAfYC7YTMsDhRttClmlri4083iu7IiNMK4b
MyG4b8wXO8FoLMojAsTU6SRklwGuZsqfbq/84Lm9w2pQuq65x3MfsdgPo1nlDLZg
nX2N7ReKkTQvaA/nVwhYIjMmgnC+hKOnSQv8Z9GIBak4yDwhrdBalA91GMQPq8hy
Dw4eSNjW/CbjpMPZWph5uLJb6rxswjBlbmk91Agc1wVUhEyYw6hkYu6K83E5sC3z
mb71CcU1M8pQzlSrJlWY6yydrd1gH9anwdOMkXMVif7rLuNgPqWGtTCJKJ13pekW
hBKf0vljicYJyXCoSiJXO8J9E+R9RiJIkraRDm0UbTsr3BCtgRUmRCLKyMiziOkE
BWscCIelGWLq9CeWbta8dotj8f0s1BrEADljTa31MFp2oY2kMs2Z0wU/PIw58g2A
RRDdP8VTbOfz/d/vmWEgCaffGNWLMxiLxHceeaqUmpvChbULQrUNdfia+L4tKfG3
yHVvGUMeo0rZg53IH8StvK+PJ89I62fSnykqrQ399ja1uzjLzg3XYIUCzkEZoiOZ
DLcu1U+6+2TuvVfyaMN4A8u0Fvvzfy6F9N/GhrvbxgDTKVhidNgfnPt5dF/cdl06
HBig4afQcdTsOxGFzPeMVfztJUzJAh4c+q4MuO7ESpNMzNpGxuo=
=3iwv
—–END PGP SIGNATURE—–
