DRUPAL-CONTRIB-2026-012

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/theme_rule/DRUPAL-CONTRIB-2026-012.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-012

Aliases

CVE-2026-3211

Published

2026-02-25T18:44:38Z

Modified

2026-02-25T19:18:50.466611Z

Summary

[none]

Details

This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.

The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.

References

https://www.drupal.org/sa-contrib-2026-012

Credits

- Juraj Nemec (poker10)
- - https://www.drupal.org/u/poker10

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/theme_rule

Package

Name: drupal/theme_rule
Purl: pkg:composer/drupal/theme_rule

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.1

Database specific

{
    "constraint": "<1.2.1"
}

Database specific

affected_versions

"<1.2.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/theme_rule/DRUPAL-CONTRIB-2026-012.json"