[CIVN-2026-0362] Multiple Vulnerabilities in Drupal

By Published On: July 14, 2026

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256


Multiple Vulnerabilities in Drupal


Indian – Computer Emergency Response Team (https://www.cert-in.org.in)


Severity Rating: HIGH


Software Affected


Commerce guest registration.

Clean RESTful.

Raw Formatter [Meta Tag Formatter].

AI SEO/GEO Analyzer versions prior to 1.1.3

UI Patterns (SDC in Drupal UI) versions prior to 2.0.17, starting from 2.0.0

Siteimprove Analytics versions prior to 2.0.1

Location Selector versions prior to 1.3.0 

Ray Enterprise Translation versions prior to 4.0.4

Ray Enterprise Translation versions prior to 4.1.4, starting from 4.1.0

Ray Enterprise Translation versions prior to 11.0.4, starting from 11.0.0

Login Disable versions prior to 2.1.4

Overview


Multiple vulnerabilities have been reported in Drupal modules, which could allow an attacker to execute SQL injection, cross-site scripting (XSS) attacks, bypass security restrictions or otherwise compromise the targeted system.


Target Audience:

All end-user organizations and individuals using the affected Drupal modules.


Risk Assessment:

High risk of SQL injection, cross-site scripting, and potential compromise of affected Drupal websites.


Impact Assessment:

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary SQL queries, perform cross-site scripting (XSS) attacks, bypass security restrictions, gain unauthorized access, and compromise the integrity of the affected system.


Description


Drupal is an open-source Content Management System (CMS) used to build, manage, and maintain websites and web applications.


Multiple vulnerabilities have been identified in several Drupal contributed modules due to improper input sanitization, SQL injection flaws, and other security weaknesses.


Successful exploitation of these vulnerabilities could allow an attacker to perform SQL injection and cross-site scripting (XSS) attacks, bypass security restrictions, or otherwise compromise the targeted system.


Solution


Apply appropriate security updates as mentioned:

https://www.drupal.org/sa-contrib-2026-070


https://www.drupal.org/sa-contrib-2026-071


https://www.drupal.org/sa-contrib-2026-072


https://www.drupal.org/sa-contrib-2026-073


https://www.drupal.org/sa-contrib-2026-075


https://www.drupal.org/sa-contrib-2026-076


https://www.drupal.org/sa-contrib-2026-077


https://www.drupal.org/sa-contrib-2026-078


https://www.drupal.org/sa-contrib-2026-079



Vendor Information


Drupal

https://new.drupal.org/home


References


Drupal

https://www.drupal.org/sa-contrib-2026-070

https://www.drupal.org/sa-contrib-2026-071

https://www.drupal.org/sa-contrib-2026-072

https://www.drupal.org/sa-contrib-2026-073

https://www.drupal.org/sa-contrib-2026-075

https://www.drupal.org/sa-contrib-2026-076

https://www.drupal.org/sa-contrib-2026-077

https://www.drupal.org/sa-contrib-2026-078

https://www.drupal.org/sa-contrib-2026-079


CVE Name

CVE-2026-15079

CVE-2026-15080

CVE-2026-15081

CVE-2026-15082

CVE-2026-15084

CVE-2026-15085

CVE-2026-15086

CVE-2026-15087

CVE-2026-15089




– —


Thanks and Regards,

CERT-In


Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS


Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–


iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpWR8AACgkQ3jCgcSdc

ys+gpg/9HxLlmyLfmE0SnJgcs5dNYV/RX9lJSCmokrQl15vQAv/9/+PgjbEWfDAq

m3UBeRLF44eiz7aiP5yDu1BxjBRrzH03d6wnBK7kwhJ+MSe6mauaBmrj6w65hXQW

xE4Y4WWwhN31LZ69EgkFAe+1UeHAZ9dsRNkPmi8zEMK+AEoPFxDbbjYz91kNJ9uF

JbOolXvfXjhlfIuhsB2InqoJwxwegKm2KTyC+ZAgFhSIBFnYqf9/kH3KXmTgYDvS

ZVEndmfUJU04FPpxOjPhpt5vDxUaU68MxSmDMGDglvtfTxvBYG/AvBphWQ9mOQqE

Uq6dNdRhDQJNIe2kzjhTaoEg508KhPf0sK3dlnHzuGWKjaHu0EVd07btNK9Az+GP

CKUnkCaII3P7sQVp0fy6yVyFqMjsD+qMxAVOO/W8M6BGh78p5Dr6jrX4QEmpangr

3ISAdfWRXLbZIz4/LdUVc/OE/2UO9gQFX37vglQjvT7bTtjg6mt90r3kiED5Gsaa

eaHr5Ivkr2KYDhvGO3dGL9yw60uQSug/rYqTMQmVpaRyX49sPhj++hUDSUNuhiTb

ZVN/GsWNgdzOxLhTnhidfBJKgcDpTIFnA5fPY8BltBmmV5yTZQ9akDTTPbvYHSbf

V8qp5MYfidLS6nxai49WN32oVjXVPRZrsvr8RH5xZ5UVyEr3Md4=

=mCfG

—–END PGP SIGNATURE—–

Share this article