[CIVN-2026-0366] Multiple vulnerabilities in Drupal products

By Published On: July 17, 2026

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256


Multiple vulnerabilities in Drupal products


Indian – Computer Emergency Response Team (https://www.cert-in.org.in)


Severity Rating: HIGH


Software Affected


Drupal Canvas AI submodule versions prior to 1.4.2, 1.5.0 to 1.5.1, 1.6.0, and 1.7.1.

FlowDrop module versions prior to 1.6.0.

Colorbox module versions prior to 2.1.5 and 2.2.1.

Overview


Multiple vulnerabilities have been reported in Drupal plugins, which could allow an attacker to perform cross-site scripting (XSS) attacks, bypass access restrictions, upload malicious files, and execute unauthorized access on the targeted system.


Target Audience:

All end-user organizations and individuals using the affected Drupal plugins.


Risk Assessment:

Risk of cross-site scripting attacks, bypass access restrictions, execution malicious file upload, and execute unauthorized access.


Impact Assessment:

Potential for unauthorized access to sensitive information, data theft, malicious file uploads, and full compromise of the affected system.


Description


Drupal is an open-source Content Management System (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.


Multiple vulnerabilities exist in Drupal Core due to improper validation, improper access control, and improper sanitization of user supplied input.


Successful exploitation of these vulnerabilities could allow could allow an attacker to perform cross-site scripting (XSS) attacks, bypass access restrictions, upload malicious files, and execute unauthorized access on the targeted system.


Solution


Apply appropriate updates as mentioned by the vendor:

https://www.drupal.org/sa-contrib-2026-065


https://www.drupal.org/sa-contrib-2026-066


https://www.drupal.org/sa-contrib-2026-067


https://www.drupal.org/sa-contrib-2026-068


https://www.drupal.org/sa-contrib-2026-069



Vendor Information


Drupal

https://www.drupal.org/sa-contrib-2026-065

https://www.drupal.org/sa-contrib-2026-066

https://www.drupal.org/sa-contrib-2026-067

https://www.drupal.org/sa-contrib-2026-068

https://www.drupal.org/sa-contrib-2026-069


References


Drupal

https://www.drupal.org/sa-contrib-2026-065

https://www.drupal.org/sa-contrib-2026-066

https://www.drupal.org/sa-contrib-2026-067

https://www.drupal.org/sa-contrib-2026-068

https://www.drupal.org/sa-contrib-2026-069


CVE Name

CVE-2026-58587

CVE-2026-58588

CVE-2026-58589

CVE-2026-58590

CVE-2026-58591




– —


Thanks and Regards,

CERT-In


Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS


Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–


iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpaK8UACgkQ3jCgcSdc

ys/YkQ//To8+RjctfVPLK6oxcIEhC3y3fxYrAqfwSCPnmJ0rLTKo3RUkaV/IfJ63

fjlEcaiMjCPmcVLSyrligaQdyjhOhc6XPksLbrFvYRRjmYW/g8pFIflTRxKTT5NC

JajgvRW6/A63WJkPjD/u24QjiUXm/7SeJ9aO9oBTOxK6dVAP1jG2NB0E40vuHXYW

vy+xDVi7ZwJo/tnk6vlkgEKx1iP0L/QZA54K89u71BpSTWuVMlEFfKinT27Ltxg/

RWgBmaJPHl5jYnQY6owdcJvMzl4y344K4U9v9bKtnfFs39vXoUOZrEONobzycWtD

A+WINbrphBooDHQcNk+TXgn+9KAxHVi3Z4if7TT/kap68/MyHxifSYdjhZs6CIaP

9UboQy5YZP93nx+LYR9Bjp/TamujHJyvVUy7R4lT/Mt7HmHVtxgdseYXIg0hbVth

f63DhYjGGKHsBGPM3jFOcn14ILxuQRkUVYlcXhcOqvfW/eU9Jqqi2guBkmfVvwlk

pTfBuFjqTHzEH5vbeG34HgoSBUNRp9QCWV1+pODXtGbQpcdzatW4GKgqTk/wdhNB

yjXgOhYJmCAd9+QrJc2cZ9xjDZdzZeMInr1nsjIrpl+Ja/FcaQOA8wYNoMKO1WjI

A/ChZrODvdK9CrFFDGw5KyHqWnFZHlC7at7fBU5GJeNKSEf+oOQ=

=1oW0

—–END PGP SIGNATURE—–

Share this article