6.1
CVE-2026-3529 - Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
6.1
CVE-2026-3528 - Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
6.5
CVE-2026-3527 - AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
5.3
CVE-2026-3526 - File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
5.3
CVE-2026-3525 - File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
5.3
CVE-2026-33537 - Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl β loopback and link-local IPsβ¦
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach intβ¦
5.1
CVE-2026-33536 - ImageMagick has an Out-of-bounds Write via InterpretImageFilename
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds writβ¦
4
CVE-2026-33535 - ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.
4.3
CVE-2026-33532 - yaml is vulnerable to Stack Overflow via deeply nested YAML collections
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without aβ¦
7.5
CVE-2026-32287 - Infinite loop in github.com/antchfx/xpath
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".