0.0
CVE-2026-3531 - OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
0.0
CVE-2026-3530 - OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information discβ¦
Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
6.1
CVE-2026-3529 - Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
6.1
CVE-2026-3528 - Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
6.5
CVE-2026-3527 - AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
5.3
CVE-2026-3526 - File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
5.3
CVE-2026-3525 - File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
5.3
CVE-2026-33537 - Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl β loopback and link-local IPsβ¦
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach intβ¦
5.1
CVE-2026-33536 - ImageMagick has an Out-of-bounds Write via InterpretImageFilename
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds writβ¦
4
CVE-2026-33535 - ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.