feat: update advisories (#226)

🤖 beep boop - looks like there's some changes to the advisories!

- https://www.drupal.org/SA-CONTRIB-2026-047
- https://www.drupal.org/SA-CONTRIB-2026-046
- https://www.drupal.org/SA-CONTRIB-2026-044
- https://www.drupal.org/SA-CONTRIB-2026-045
- https://www.drupal.org/SA-CONTRIB-2026-043

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

Author: DrupalSecurityBot

advisories/bfap_sb/DRUPAL-CONTRIB-2026-047.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-047",
+  "modified": "2026-06-10T17:10:26.000Z",
+  "published": "2026-06-10T17:10:26.000Z",
+  "aliases": [
+    "CVE-2026-11915"
+  ],
+  "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/bfap_sb"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "*"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "*"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-047"
+    }
+  ],
+  "credits": []
+}

advisories/composer/DRUPAL-CONTRIB-2026-046.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-046",
+  "modified": "2026-06-10T17:09:45.000Z",
+  "published": "2026-06-10T17:09:45.000Z",
+  "aliases": [
+    "CVE-2026-11914"
+  ],
+  "details": "The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)\n\n*Note: this is about a project for the Drupal system that makes use of composer. It is not a vulnerability in the composer software itself.*",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/composer"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "*"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "*"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-046"
+    }
+  ],
+  "credits": []
+}

advisories/examples/DRUPAL-CONTRIB-2026-044.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-044",
+  "modified": "2026-06-10T17:07:55.000Z",
+  "published": "2026-06-10T17:07:55.000Z",
+  "aliases": [
+    "CVE-2026-11909"
+  ],
+  "details": "The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.\n\nThe \"Read from a file\" feature implemented by the file\\_example submodule can be used to expose any file that PHP can access. Therefore, the file\\_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/examples"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.6"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<4.0.6"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<4.0.6"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-044"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Pierre Rudloff (prudloff)",
+      "contact": [
+        "https://www.drupal.org/u/prudloff"
+      ]
+    }
+  ]
+}

advisories/mothermayi/DRUPAL-CONTRIB-2026-045.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-045",
+  "modified": "2026-06-10T17:08:53.000Z",
+  "published": "2026-06-10T17:08:53.000Z",
+  "aliases": [
+    "CVE-2026-11913"
+  ],
+  "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/mothermayi"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "*"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "*"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-045"
+    }
+  ],
+  "credits": []
+}

advisories/tagify/DRUPAL-CONTRIB-2026-043.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-043",
+  "modified": "2026-06-10T17:07:12.000Z",
+  "published": "2026-06-10T17:07:12.000Z",
+  "aliases": [
+    "CVE-2026-11908"
+  ],
+  "details": "This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.\n\nThe module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user\u2019s session.\n\nThe vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/tagify"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.2.52"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.2.52"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.2.52"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-043"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Pierre Rudloff (prudloff)",
+      "contact": [
+        "https://www.drupal.org/u/prudloff"
+      ]
+    }
+  ]
+}