Skip to main content

Ai Artificial Intelligence

3 CVEs product

Monthly

CVE-2026-13235 PHP LOW PATCH Monitor

Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and CISA SSVC confirms no active exploitation, placing this firmly in the low-urgency tier despite its network-accessible attack vector.

Authentication Bypass Ai Artificial Intelligence
NVD VulDB
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-13234 PHP MEDIUM PATCH This Month

Cross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking and malicious content injection when users interact with unsanitized AI-generated or AI-related output rendered in the browser. The module fails to properly neutralize user-controlled or AI-sourced input before including it in generated web pages, allowing an unauthenticated remote attacker to craft a payload that executes in a victim's browser upon interaction. No active exploitation is confirmed (not in CISA KEV) and EPSS is very low at 0.16% (6th percentile), though the network-accessible, no-privilege attack surface warrants prompt patching on internet-facing Drupal deployments.

XSS Ai Artificial Intelligence
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-3573 PHP HIGH PATCH This Week

Drupal AI module versions 0.0.0 before 1.1.11 and 1.2.0 before 1.2.12 contain an incorrect authorization vulnerability (CWE-863) that enables resource injection attacks. The flaw allows attackers to bypass authorization controls and inject malicious resources, potentially gaining unauthorized access to AI-driven functionality or data within affected Drupal installations. No public exploit code or active exploitation has been confirmed at the time of this analysis.

Authentication Bypass Ai Artificial Intelligence
NVD
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and CISA SSVC confirms no active exploitation, placing this firmly in the low-urgency tier despite its network-accessible attack vector.

Authentication Bypass Ai Artificial Intelligence
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking and malicious content injection when users interact with unsanitized AI-generated or AI-related output rendered in the browser. The module fails to properly neutralize user-controlled or AI-sourced input before including it in generated web pages, allowing an unauthenticated remote attacker to craft a payload that executes in a victim's browser upon interaction. No active exploitation is confirmed (not in CISA KEV) and EPSS is very low at 0.16% (6th percentile), though the network-accessible, no-privilege attack surface warrants prompt patching on internet-facing Drupal deployments.

XSS Ai Artificial Intelligence
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Drupal AI module versions 0.0.0 before 1.1.11 and 1.2.0 before 1.2.12 contain an incorrect authorization vulnerability (CWE-863) that enables resource injection attacks. The flaw allows attackers to bypass authorization controls and inject malicious resources, potentially gaining unauthorized access to AI-driven functionality or data within affected Drupal installations. No public exploit code or active exploitation has been confirmed at the time of this analysis.

Authentication Bypass Ai Artificial Intelligence
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy