feat: update advisories (#213)

DrupalSecurityBot · github-actions[bot] · web-flow · commit e511096f0898 · 2026-05-14T06:56:08.000+12:00
🤖 beep boop - looks like there's some changes to the advisories! - https://www.drupal.org/SA-CONTRIB-2026-036 - https://www.drupal.org/SA-CONTRIB-2026-037 - https://www.drupal.org/SA-CONTRIB-2026-035 - https://www.drupal.org/SA-CONTRIB-2026-034 Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
diff --git a/advisories/colorbox_inline/DRUPAL-CONTRIB-2026-036.json b/advisories/colorbox_inline/DRUPAL-CONTRIB-2026-036.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-036",
+  "modified": "2026-05-13T17:18:29.000Z",
+  "published": "2026-05-13T17:18:29.000Z",
+  "aliases": [
+    "CVE-2026-8493"
+  ],
+  "details": "This module enables you to open content already on the page within a colorbox.\n\nThe module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/colorbox_inline"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.1"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.1.1"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.1.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-036"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Pierre Rudloff (prudloff)",
+      "contact": [
+        "https://www.drupal.org/u/prudloff"
+      ]
+    }
+  ]
+}
diff --git a/advisories/date_ical/DRUPAL-CONTRIB-2026-037.json b/advisories/date_ical/DRUPAL-CONTRIB-2026-037.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-037",
+  "modified": "2026-05-13T17:19:25.000Z",
+  "published": "2026-05-13T17:19:25.000Z",
+  "aliases": [
+    "CVE-2026-8495"
+  ],
+  "details": "This module enables you to export entity date fields as iCal feeds.\n\nThe module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.\n\nThis vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/date_ical"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.0.15"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<4.0.15"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<4.0.15"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-037"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber (mcdruid)",
+      "contact": [
+        "https://www.drupal.org/u/mcdruid"
+      ]
+    }
+  ]
+}
diff --git a/advisories/gtranslate/DRUPAL-CONTRIB-2026-035.json b/advisories/gtranslate/DRUPAL-CONTRIB-2026-035.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-035",
+  "modified": "2026-05-13T17:17:42.000Z",
+  "published": "2026-05-13T17:17:42.000Z",
+  "aliases": [
+    "CVE-2026-8492"
+  ],
+  "details": "The GTranslate module provides a language switcher widget for Drupal sites.\n\nThe module\u2019s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to point to an unintended domain.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to add HTML with attributes that are not allowed by Drupal\u2019s default CKEditor configuration. It is also limited to sites using the paid versions of GTranslate widget JavaScript and configurations where the generated language links use script-provided values.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/gtranslate"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.5"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<3.0.5"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<3.0.5"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-035"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Pierre Rudloff (prudloff)",
+      "contact": [
+        "https://www.drupal.org/u/prudloff"
+      ]
+    }
+  ]
+}
diff --git a/advisories/node_view_permissions/DRUPAL-CONTRIB-2026-034.json b/advisories/node_view_permissions/DRUPAL-CONTRIB-2026-034.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2026-034",
+  "modified": "2026-05-13T18:16:36.000Z",
+  "published": "2026-05-13T17:16:59.000Z",
+  "aliases": [
+    "CVE-2026-8491"
+  ],
+  "details": "Node view permissions module enables permissions \"View own content\" and \"View any content\" for each content type on permissions page  \nThe module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.  \nThis vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist:https://packages.drupal.org/8",
+        "name": "drupal/node_view_permissions"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.7.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.7.0"
+          }
+        },
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.0.1"
+            }
+          ],
+          "database_specific": {
+            "constraint": ">=2.0.0 <2.0.1"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.7.0 || >=2.0.0 <2.0.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2026-034"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Adam Shepherd (adamps)",
+      "contact": [
+        "https://www.drupal.org/u/adamps"
+      ]
+    }
+  ]
+}
