Drupal SA-CONTRIB-2026-011 through 019: Full Triage Map and Impact Assessment
I reviewed Drupal advisories SA-CONTRIB-2026-011 through SA-CONTRIB-2026-019 (published on 2026-02-25) and mapped them against active drupal-* projects. Nine advisories, nine modules, one triage session.
Drupal published nine contrib security advisories on a single day. Even if none of these modules are in your current stack, add them to your dependency watchlist so you catch them if they show up later.
Advisory-to-Module Map
| SA ID | Module | CVE | Fix Version | Vulnerability Type |
|---|---|---|---|---|
| SA-CONTRIB-2026-011 | drupal/material_icons | CVE-2026-3210 | 2.0.4 | Access bypass |
| SA-CONTRIB-2026-012 | drupal/theme_rule | CVE-2026-3211 | 1.2.1 | CSRF |
| SA-CONTRIB-2026-013 | drupal/tagify | -- | 1.2.49 | -- |
| SA-CONTRIB-2026-014 | drupal/cleantalk | -- | 9.7.0 | -- |
| SA-CONTRIB-2026-015 | drupal/captcha | CVE-2026-3214 | 8.x-1.17 / 2.0.10 | Access bypass |
| SA-CONTRIB-2026-016 | drupal/islandora | CVE-2026-3215 | 2.17.5 | File upload + XSS |
| SA-CONTRIB-2026-017 | drupal/canvas | CVE-2026-3216 | 1.1.1 | SSRF + info disclosure |
| SA-CONTRIB-2026-018 | drupal/miniorange_saml | CVE-2026-3217 | 3.1.3 | Reflected XSS |
| SA-CONTRIB-2026-019 | drupal/responsive_favicons | CVE-2026-3218 | 2.0.2 | Persistent XSS |
Current Project Impact
I scanned across drupal-* repositories in my active projects directory.
Run composer show --locked | grep -E "material_icons|theme_rule|tagify|cleantalk|captcha|islandora|canvas|miniorange_saml|responsive_favicons" against every composer.lock in your project portfolio.
Results:
composer.jsondirect requirements: no matches for affected packagescomposer.lockinstalled package names: no matches for affected packages- Code-level references: one non-dependency mention of
tagifyAPI usage indrupal-ai-context-issue-3572160, but nodrupal/tagifypackage requirement found
"No currently affected active project dependencies detected for this advisory set."
Upgrade and Mitigation Actions
Even with zero current matches, I set up forward-looking controls.
If No Affected Modules Are Installed
- Add these package names to dependency watchlists in CI checks
- Re-run advisory triage whenever any of these modules are introduced
- Document baseline clean status for audit trail
If Any Affected Module Is Added Later
- Pin minimum safe versions immediately in
composer.json - Run
composer update drupal/<module> --with-all-dependencies - Verify role/permission hardening notes from each advisory before deploy
- Clear caches and rebuild router:
drush cr - Test critical paths after update
composer show --locked | grep -E "material_icons|theme_rule|tagify|cleantalk|captcha|islandora|canvas|miniorange_saml|responsive_favicons"
composer require drupal/captcha:^2.0.10
drush cr
Special note: SA-CONTRIB-2026-017 (Drupal Canvas)
If Canvas is adopted later, verify the hidden submodule canvas_ai state and related permissions as part of release QA. Recipe-driven enablement can introduce canvas_ai without explicit awareness.
Check with:
drush config:get core.extension | grep canvas_ai
If canvas_ai is enabled and users have the use Drupal Canvas AI permission, the SSRF and information disclosure vectors from SA-CONTRIB-2026-017 apply.
Individual Advisory Reviews
For deep-dive analysis on each advisory, see the dedicated review posts:
- SA-CONTRIB-2026-011: Material Icons
- SA-CONTRIB-2026-012: Theme Rule
- SA-CONTRIB-2026-015: CAPTCHA
- SA-CONTRIB-2026-016: Islandora
- SA-CONTRIB-2026-017: Canvas
- SA-CONTRIB-2026-018: SAML SSO
- SA-CONTRIB-2026-019: Responsive Favicons
Why this matters for Drupal and WordPress
Drupal agencies and site owners running contrib-heavy stacks need a repeatable triage workflow when advisory batches like this land. Modules like CAPTCHA, SAML SSO, and Islandora are common in enterprise Drupal builds, and missing even one patch can expose XSS or access-bypass vectors. WordPress teams maintaining parallel CMS portfolios should apply the same dependency-scanning discipline across both ecosystems since many hosting and CI pipelines serve both platforms.
References
- SA-CONTRIB-2026-011
- SA-CONTRIB-2026-012
- SA-CONTRIB-2026-013
- SA-CONTRIB-2026-014
- SA-CONTRIB-2026-015
- SA-CONTRIB-2026-016
- SA-CONTRIB-2026-017
- SA-CONTRIB-2026-018
- SA-CONTRIB-2026-019
Looking for an Architect who doesn't just write code, but builds the AI systems that multiply your team's output? View my enterprise CMS case studies at victorjimenezdev.github.io or connect with me on LinkedIn.