Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN653 _____________________________________________________________________ DATE : 18/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Plotly.js Graphing module for Drupal, Flag attendance field module for Drupal, Formatter Field module for Drupal, Brute force attack protection module for Drupal, Composer module for Drupal, Mother May I module for Drupal. ===================================================================== https://www.drupal.org/sa-contrib-2026-050 https://www.drupal.org/sa-contrib-2026-049 https://www.drupal.org/sa-contrib-2026-048 https://www.drupal.org/sa-contrib-2026-047 https://www.drupal.org/sa-contrib-2026-046 https://www.drupal.org/sa-contrib-2026-045 _____________________________________________________________________ Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050 Project: Plotly.js Graphing Date: 2026-June-17 Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: PHP object injection Affected versions: <3.0.2 CVE IDs: CVE-2026-55810 Description: The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library. The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized. This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached plotly_js_graph field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly. Solution: Install the latest version: If you use the Plotly.js Graphing module for Drupal, upgrade to plotly_js-3.0.2. Reported By: Drew Webber (mcdruid) of the Drupal Security Team Fixed By: Stephen Mustgrave (smustgrave) Coordinated By: Greg Knaddison (greggles) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Jess (xjm) of the Drupal Security Team _____________________________________________________________________ Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049 Project: Flag attendance field Date: 2026-June-17 Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: PHP object injection Affected versions: <1.2 CVE IDs: CVE-2026-55809 Description: The Flag attendance field module gives you the ability to add attendance by depending on Flag module. flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized. This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached flag_attendance_field field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly. Solution: Install the latest version: If you use the Flag attendance field module for Drupal, upgrade to Flag attendance field 8.x-1.2. Reported By: Drew Webber (mcdruid) of the Drupal Security Team Fixed By: Anas Mawlawi (anas_maw) Benji Fisher (benjifisher) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Coordinated By: Benji Fisher (benjifisher) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Jess (xjm) of the Drupal Security Team _____________________________________________________________________ Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048 Project: Formatter Field Date: 2026-June-17 Security risk: Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: PHP object injection Affected versions: <2.0.0 CVE IDs: CVE-2026-12535 Description: The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis. formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized. This vulnerability is mitigated by the fact that an attacker must have permission to edit a content entity with an attached formatter_field field. In addition, the core JSON:API module must be enabled with the option "Accept all JSON:API create, read, update, and delete operations", which is not the default, or the attacker needs some other way to edit field values directly. Solution: Install the latest version: If you use the Formatter Field module, upgrade to Formatter Field 2.0.0. Reported By: Drew Webber (mcdruid) of the Drupal Security Team Fixed By: Kostia Bohach (_shy) Coordinated By: Benji Fisher (benjifisher) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Jess (xjm) of the Drupal Security Team _____________________________________________________________________ Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047 Project: Brute force attack protection Date: 2026-June-10 Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2026-11915 Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons _____________________________________________________________________ Composer - Critical - Unsupported - SA-CONTRIB-2026-046 Project: Composer Date: 2026-June-10 Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2026-11914 Description: The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons Note: this is about a project for the Drupal system that makes use of composer. It is not a vulnerability in the composer software itself. Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons _____________________________________________________________________ Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045 Project: Mother May I Date: 2026-June-10 Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2026-11913 Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================