Tag1 D7ES Security Advisories

OpenID Connect - Moderately Critical - Server Side Request Forgery

Project

OpenID Connect

Date

April 22, 2026

Severity

Moderately Critical

Risk Score

10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Affected versions

<7.x-1.4

The OpenID Connect module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs through malicious user picture URLs.

Read more about OpenID Connect - Moderately Critical - Server Side Request Forgery

OpenID Connect - Moderately Critical - Access Bypass

Project

OpenID Connect

Date

April 22, 2026

Severity

Moderately Critical

Risk Score

10/25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.4

The OpenID Connect module introduced a prompt parameter configuration that, when misconfigured, could potentially weaken authentication security by allowing users to bypass certain authentication requirements through OpenID Connect identity providers.

Read more about OpenID Connect - Moderately Critical - Access Bypass

OpenID Connect - Less Critical - Email Uniqueness Validation

Project

OpenID Connect

Date

April 22, 2026

Severity

Moderately Critical

Risk Score

9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Affected versions

<7.x-1.4

The OpenID Connect module contained an email uniqueness validation vulnerability that allowed duplicate user accounts to be created with email addresses that differ only in case, potentially leading to account confusion and authentication bypass scenarios.

Read more about OpenID Connect - Less Critical - Email Uniqueness Validation

Login Disable - Less Critical - Access Bypass

Project

Date

April 15, 2026

Severity

Less Critical

Risk Score

8/25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.3

The Login Disable module contained an access bypass vulnerability in its user login hook, allowing users to bypass the access key requirement through non-form login routes like Services or RESTful APIs.

Read more about Login Disable - Less Critical - Access Bypass

User Alert - Less Critical - Access Bypass

Project

User Alert

Date

April 15, 2026

Severity

Less Critical

Risk Score

8/25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.11

The User Alert module contained an Insecure Direct Object Reference (IDOR) vulnerability in its message dismissal endpoint, allowing authenticated users to mark any node as dismissed without proper access control checks.

Read more about User Alert - Less Critical - Access Bypass

Views Reference Filter - Moderately Critical - Access Bypass

Project

Views Reference Filter

Date

April 15, 2026

Severity

Moderately Critical

Risk Score

12/25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.8

The Entityreference Filter module exposed an unprotected callback function that allowed unauthorized users to trigger entity reference filter updates without proper access control.

Read more about Views Reference Filter - Moderately Critical - Access Bypass

Ajax Blocks - Moderately Critical - Access Bypass

Project

Ajax Blocks

Date

April 15, 2026

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.5

The Ajax Blocks module contained an access bypass vulnerability in its AJAX handler that could serve content from disabled or regionless blocks, potentially exposing content that should not be accessible to users.

Read more about Ajax Blocks - Moderately Critical - Access Bypass

Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019

Project

Responsive Favicons

Date

April 01, 2026

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.4

The Responsive Favicons module does not filter administrator-entered text.

Read more about Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019

Taxonomy Term Reference Tree Widget - Moderately Critical - Cross Site Scripting

Project

Taxonomy Term Reference Tree Widget

Date

April 01, 2026

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.12

The Term Reference Tree Widget module contained a Cross-Site Scripting (XSS) vulnerability in its tree list output function, allowing malicious users to inject JavaScript code through unsanitized token replacement and improper URI handling.