Mailjet - Less critical - Multiple upstream vulnerabilities
Project
Date
Severity
Less Critical
Affected versions
<7.x02.24
Mailjet is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer & Guzzle library.
This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.
Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-3.10
The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.
Form Builder - Less critical - Cross Site Scripting
Project
Date
Severity
Less Critical
Affected versions
≤ 7.x-1.22, ≤ 7.x-2.0-alpha8
The Form Builder module provides an interface for editing and configuring forms. The module doesn't sufficiently sanitize JSON data, allowing persistent Cross Site Scripting (XSS) attacks.
Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028
Project
Date
Severity
Moderately Critical
Affected versions
< 7.x-1.2
The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.
D7ES PSA relating to 7.x elFinder file manager
Date
Tag1 D7ES is marking the 7.x branch of the elfinder Drupal project as unsupported. There is at least one known security issue with its upstream dependencies that have not been addressed. If you use this project, it is recommended that you uninstall it.
Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Project
Date
Severity
Moderately Critical
Affected versions
< 7.x-1.13
The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.
SMTP - Critical - Multiple Vulnerabilities
Project
Date
Severity
Critical
Affected versions
< 7.x-1.11
The SMTP module allows Drupal to bypass the PHP mail() function and send email directly to an SMTP server. It is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer library.
Global Redirect - Moderately critical - Server Side Request Forgery
Project
Date
Severity
Moderately Critical
Affected versions
<=7.x-1.6
Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.
Mailsystem - Critical - PHP Injection
Project
Date
Severity
Critical
Affected versions
<=7.x-2.35
The Mail System module provides an Administrative UI and Developers API for managing a mail backend or plugin. The module is susceptible to a PHP injection vulnerability.
General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018
Date
Severity
Moderately Critical
Affected versions
7.x-1.0-alpha12
The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.