Vulnerability

A May 2025 blog post by Drew Webber examines Remote Code Execution vulnerabilities in Drupal’s AI Automators submodule. The issues, disclosed in March 2025, stemmed from unsanitized shell commands and untrusted LLM output. Fixes were applied in version 1.0.5. ...more

Drupal contributor Chris Kelly warns against allowing web servers to write directly to code directories, citing significant security vulnerabilities. He emphasizes that such changes, intended to simplify module installations via Project Browser, could expose sites to attacks. Kelly advocates for maintaining strict file permissions to uphold Drupal's security standards ...more

A recent post by Drew Webber highlights a critical RCE vulnerability in the Drupal AI module, tied to unsafe shell command usage in AI Automators. The flaw, disclosed by the Drupal Security Team, allowed command injection through prompt and file input. A patch in version 1.0.5 addresses the issue. ...more

Next.js just patched a major security flaw that could let attackers slip past your app’s defenses. If you're self-hosting, you’ll want to hear this. ...more

Drupal has issued security updates to fix critical and moderately critical vulnerabilities, including a cross-site scripting flaw, access bypass risks, and a PHP object injection issue. Administrators are urged to update their systems immediately to protect against potential exploits. ...more

A security flaw in Drupal core’s CKEditor 5 module can disrupt site operations under specific configurations. Users are urged to update to version 10.2.10 to mitigate potential risks. ...more

Learn how the 2018 "Drupalgeddon 2" vulnerability led to widespread botnet attacks on unpatched Drupal sites. Acquia’s detailed analysis reveals the importance of timely security updates to prevent remote code execution and crypto-mining malware. ...more

Max Pogonowski from Sitback highlights a recent vulnerability in Drupal sites linked to polyfill.io, where malware was injected into scripts by the new owners. He advises updating Drupal modules or using Cloudflare for protection. The post also introduces the Frontend Bundler Initiative to reduce reliance on third-party CDNs. ...more

Nik from Versantus reports a critical vulnerability in Polyfill.io libraries, potentially distributing malware after a domain sale. Websites using these libraries must take immediate action to remove or update the code and ensure robust security monitoring. ...more

Dive into the world of cybersecurity with this breakdown of cracking a Drupal-Based VulnHub CTF (DC 1). Follow the step-by-step guide as Wayne Currie navigates through discovering hosts, scanning, exploiting Drupal vulnerabilities, and more. Uncover the final flag and sharpen your cybersecurity skills today. ...more

Mingsong Hu identifies and helps patch a moderately critical CSRF vulnerability in Drupal Symfony Mailer Lite, emphasizing the importance of timely updates for enhanced security. ...more

Discover the robust security features of Drupal CMS and how they protect your digital assets from cyber threats. Learn about the cybersecurity risks organizations face today and the mechanisms available to secure your Drupal website. ...more