4.2
CVE-2026-1554 - Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-202โฆ
XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
4.8
CVE-2026-1553 - Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
6.5
CVE-2026-0948 - Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
4.8
CVE-2026-0947 - AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
6.1
CVE-2026-0946 - AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.
5.4
CVE-2026-0945 - Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.
5.3
CVE-2026-0944 - Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
5.3
CVE-2023-38010 - Multiple Vulnerabilities in IBM Cloud Pak System
IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system.
9.8
CVE-2026-25505 - Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
9.4
CVE-2026-25481 - Langroid has WAF Bypass Leading to RCE in TableChatAgent
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code iโฆ