Drupal Security Advisories Cover Geolocation Field, WissKI, Paragraphs, and AI Modules

Several Drupal contributed projects received security advisories on 24 June 2026, with 14 contributed-project notices published by the Drupal Security Team. Three advisories are rated critical and affect Geolocation Field, WissKI, and the unsupported Tealium iQ Tag Management project. Other advisories cover access bypass, information disclosure, cross-site scripting, server-side request forgery, cross-site request forgery, payment-response validation, and insecure direct object reference handling.

Site maintainers need to assess each advisory against enabled modules and exposed features, not only project presence. The highest-risk items involve an exposed Views filter, a Mirador-related submodule route, and unsupported code with no maintained fix. AI-related and Paragraphs issues are lower in severity but may matter on sites that expose agents, generated HTML or Markdown, or Paragraphs Library endpoints.

The Geolocation Field advisory carries the highest risk score in the group. SA-CONTRIB-2026-062 rates the issue critical with a 19 out of 25 risk score and describes a SQL injection vulnerability in one of the module’s Views filters. The issue applies when a view uses the affected filter and accepts user input. Sites using the module should upgrade to Geolocation Field 8.x-3.15.

The WissKI advisory is also critical. SA-CONTRIB-2026-059 carries a 17 out of 25 risk score and concerns access bypass in the wisski_mirador submodule, which supports the Mirador viewer and image annotations. The advisory says submitted route parameters are written to the session object without sufficient checks. Sites using WissKI 8.x-4.1 should upgrade to WissKI 8.x-4.2.

The Tealium iQ Tag Management advisory is critical because the project is unsupported and has a known unfixed security issue. SA-CONTRIB-2026-064 affects all versions and carries a 16 out of 25 risk score. The Drupal Security Team directs sites using the project to uninstall it. The advisory also points potential maintainers to Drupal.org’s process for taking over project maintainership.

The Paragraphs module is affected by two access bypass advisories tied to the optional paragraphs_library module. SA-CONTRIB-2026-061 is moderately critical and concerns access to direct child paragraphs of library items through API endpoints. SA-CONTRIB-2026-060 is less critical and concerns access to unpublished library items in lists. Drupal.org’s latest visible usage statistics show 236,900 reported sites using Paragraphs for the week starting 24 May 2026.

Both Paragraphs advisories affect versions earlier than 1.21.0. The more serious issue requires paragraphs_library to be in use and general write access to paragraphs through another module. The less critical issue requires access to a list of library items, such as autocomplete suggestions or a view. Sites using the Drupal 8.x branch should upgrade to Paragraphs 8.x-1.21.

The AI (Artificial Intelligence) module received two moderately critical advisories. SA-CONTRIB-2026-054 covers information disclosure and cross-site scripting in workflows that render HTML or Markdown generated through large language model requests. The affected submodules include AI Automators, AI Translate, AI API Explorer, and AI Content Suggestions. SA-CONTRIB-2026-055 covers access bypass in Drupal core actions exposed as agent tools.

Both AI (Artificial Intelligence) advisories affect versions earlier than 1.2.17, versions from 1.3.0 before 1.3.8, and versions from 1.4.0 before 1.4.3. Affected sites should update to AI 1.2.17, 1.3.8, or 1.4.3. The access bypass issue is mitigated by the requirement that an attacker can communicate with an affected agent and that the site exposes affected tools to non-privileged users.

The OpenAI Provider module is covered by SA-CONTRIB-2026-053, a moderately critical server-side request forgery advisory with a 10 out of 25 risk score. The advisory says the module does not sufficiently sanitise user-supplied URLs. The issue is mitigated by the requirement that an attacker can change the host URL and generate AI-generated images. Sites using affected versions should update to OpenAI Provider 1.1.1 or 1.2.2.

You May Like

Article

UN Open Source Week 2026 Sets New York Programme for AI, DPI and OSPOs

Article

UN Open Source Week 2026 Sets New York Programme for AI, DPI and OSPOs

The AI Agents module received two advisories. SA-CONTRIB-2026-057 is moderately critical and covers information disclosure and access bypass when an agent inherits deterministic parameters while invoking the same tool in one request. SA-CONTRIB-2026-056 is less critical and covers missing permission checks when a tool loads content entities. Affected sites should update to AI Agents 1.1.4, 1.2.5, or 1.3.1.

The Salesforce Suite module is covered by SA-CONTRIB-2026-063, a moderately critical cross-site request forgery advisory with an 11 out of 25 risk score. The advisory says the module does not properly validate the OAuth handshake during interactive authentication, which could allow an attacker to hijack an authorization token and bind a Drupal site to the attacker’s Salesforce account. The issue applies only when the deprecated salesforce_oauth submodule is enabled and an OAuth authorization profile is active and in use. Sites relying only on salesforce_jwt are not affected, and the 6.0.x branch is not affected because salesforce_oauth has been removed.

The Commerce Realex / Global Payments module is covered by SA-CONTRIB-2026-058, a moderately critical access bypass advisory with a 12 out of 25 risk score. The affected configuration involves the redirect payment method, where the module does not sufficiently verify the authenticity of the payment response returned by Global Payments. The lightbox payment method validates the signature and is not affected. Sites using affected versions should upgrade to commerce_realex 3.0.2 or disable the gateway until the update can be applied.

The Advanced Content Feedback module received two moderately critical advisories. SA-CONTRIB-2026-052 covers access bypass and insecure direct object reference handling in comment submissions for feedback records. The issue requires an attacker to have the give feedback permission, which the advisory notes is granted to anonymous and authenticated users by default on install. SA-CONTRIB-2026-051 covers cross-site scripting in administrator-configured response messages, and affected sites should upgrade to Advanced Content Feedback 8.x-2.8.

The advisories include version guidance or removal guidance for each affected project. Site owners should prioritise updates where high-severity vulnerabilities intersect with exposed user input, agent workflows, payment processing, authentication flows, or enabled submodules. Unsupported code should be removed rather than left in place without a maintained security path.