DRUPAL-CONTRIB-2026-060

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/paragraphs/DRUPAL-CONTRIB-2026-060.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-060
Aliases
  • CVE-2026-13240
Published
2026-06-24T18:42:30Z
Modified
2026-06-24T19:15:05.483927923Z
Summary
[none]
Details

The optional Paragraphs Library module allows the reuse of paragraphs in multiple places.
The module doesn't sufficiently restrict access to unpublished library items in lists.
This vulnerability is mitigated by the fact the paragraphs_library module must be in use, and that an attacker must have access to a list of library items, such as a field with autocomplete suggestions or a view.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/paragraphs

Package

Name
drupal/paragraphs
Purl
pkg:composer/drupal%2Fparagraphs

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.21.0
Database specific
{
    "constraint": "<1.21.0"
}

Database specific

affected_versions
"<1.21.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/paragraphs/DRUPAL-CONTRIB-2026-060.json"