From e4d21ac544282729d2c72e9b9d42cbaba80b0fc0 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 18:01:54 +0000 Subject: [PATCH] feat: update advisories --- .../quickedit/DRUPAL-CONTRIB-2026-009.json | 66 +++++++++++++++++++ .../ui_icons/DRUPAL-CONTRIB-2026-010.json | 66 +++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 advisories/quickedit/DRUPAL-CONTRIB-2026-009.json create mode 100644 advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json diff --git a/advisories/quickedit/DRUPAL-CONTRIB-2026-009.json b/advisories/quickedit/DRUPAL-CONTRIB-2026-009.json new file mode 100644 index 00000000..2c1220e6 --- /dev/null +++ b/advisories/quickedit/DRUPAL-CONTRIB-2026-009.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-009", + "modified": "2026-02-11T16:53:32.000Z", + "published": "2026-02-11T16:53:32.000Z", + "aliases": [ + "CVE-2026-2348" + ], + "details": "This module allows content to be edited in-place.\n\nThe module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to create or edit an affected field.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/quickedit" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ], + "database_specific": { + "constraint": "<1.0.5" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.1" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.5 || >=2.0.0 <2.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-009" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json b/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json new file mode 100644 index 00000000..6748e759 --- /dev/null +++ b/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-010", + "modified": "2026-02-11T16:54:18.000Z", + "published": "2026-02-11T16:54:18.000Z", + "aliases": [ + "CVE-2026-2349" + ], + "details": "This module enables you to integrate and manage icons with Drupal.\n\nThe module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.\n\nThe vulnerability is mitigated by the fact that in order to be vulnerable, the \"UI Icons for CKEditor 5\" submodule must be enabled.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/ui_icons" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ], + "database_specific": { + "constraint": "<1.0.1" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.1.1" + } + ], + "database_specific": { + "constraint": ">=1.1.0 <1.1.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.1 || >=1.1.0 <1.1.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-010" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +}