Drupal SA-CONTRIB-2026-011 through 019: Full Triage Map and Impact Assessment
I reviewed Drupal advisories SA-CONTRIB-2026-011 through SA-CONTRIB-2026-019 (published on 2026-02-25) and mapped them against active drupal-* projects. Nine advisories, nine modules, one triage session.
Drupal published nine contrib security advisories on a single day. Even if none of these modules are in your current stack, add them to your dependency watchlist so you catch them if they show up later.
Advisory-to-Module Map
| SA ID | Module | CVE | Fix Version | Vulnerability Type |
|---|---|---|---|---|
| SA-CONTRIB-2026-011 | drupal/material_icons | CVE-2026-3210 | 2.0.4 | Access bypass |
| SA-CONTRIB-2026-012 | drupal/theme_rule | CVE-2026-3211 | 1.2.1 | CSRF |
| SA-CONTRIB-2026-013 | drupal/tagify | -- | 1.2.49 | -- |
| SA-CONTRIB-2026-014 | drupal/cleantalk | -- | 9.7.0 | -- |
| SA-CONTRIB-2026-015 | drupal/captcha | CVE-2026-3214 | 8.x-1.17 / 2.0.10 | Access bypass |
| SA-CONTRIB-2026-016 | drupal/islandora | CVE-2026-3215 | 2.17.5 | File upload + XSS |
| SA-CONTRIB-2026-017 | drupal/canvas | CVE-2026-3216 | 1.1.1 | SSRF + info disclosure |
| SA-CONTRIB-2026-018 | drupal/miniorange_saml | CVE-2026-3217 | 3.1.3 | Reflected XSS |
| SA-CONTRIB-2026-019 | drupal/responsive_favicons | CVE-2026-3218 | 2.0.2 | Persistent XSS |
Current Project Impact
I scanned across drupal-* repositories in my active projects directory.
Run composer show --locked | grep -E "material_icons|theme_rule|tagify|cleantalk|captcha|islandora|canvas|miniorange_saml|responsive_favicons" against every composer.lock in your project portfolio.
Results:
composer.jsondirect requirements: no matches for affected packagescomposer.lockinstalled package names: no matches for affected packages- Code-level references: one non-dependency mention of
tagifyAPI usage indrupal-ai-context-issue-3572160, but nodrupal/tagifypackage requirement found
"No currently affected active project dependencies detected for this advisory set."
Upgrade and Mitigation Actions
Even with zero current matches, I set up forward-looking controls.
If No Affected Modules Are Installed
- Add these package names to dependency watchlists in CI checks
- Re-run advisory triage whenever any of these modules are introduced
- Document baseline clean status for audit trail
If Any Affected Module Is Added Later
- Pin minimum safe versions immediately in
composer.json - Run
composer update drupal/<module> --with-all-dependencies - Verify role/permission hardening notes from each advisory before deploy
- Clear caches and rebuild router:
drush cr - Test critical paths after update
composer show --locked | grep -E "material_icons|theme_rule|tagify|cleantalk|captcha|islandora|canvas|miniorange_saml|responsive_favicons"
composer require drupal/captcha:^2.0.10
drush cr
Special note: SA-CONTRIB-2026-017 (Drupal Canvas)
If Canvas is adopted later, verify the hidden submodule canvas_ai state and related permissions as part of release QA. Recipe-driven enablement can introduce canvas_ai without explicit awareness.
Check with:
drush config:get core.extension | grep canvas_ai
If canvas_ai is enabled and users have the use Drupal Canvas AI permission, the SSRF and information disclosure vectors from SA-CONTRIB-2026-017 apply.
Individual Advisory Reviews
For deep-dive analysis on each advisory, see the dedicated review posts:
- SA-CONTRIB-2026-011: Material Icons
- SA-CONTRIB-2026-012: Theme Rule
- SA-CONTRIB-2026-015: CAPTCHA
- SA-CONTRIB-2026-016: Islandora
- SA-CONTRIB-2026-017: Canvas
- SA-CONTRIB-2026-018: SAML SSO
- SA-CONTRIB-2026-019: Responsive Favicons