Skip to main content

Ai Agents

2 CVEs product

Monthly

CVE-2026-13237 PHP MEDIUM PATCH This Month

Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.

Authentication Bypass Ai Agents
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-13236 PHP MEDIUM PATCH This Month

Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.

Authentication Bypass Ai Agents
NVD
CVSS 3.1
4.2
EPSS
0.1%
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.

Authentication Bypass Ai Agents
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.

Authentication Bypass Ai Agents
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy