Paragraphs
Monthly
Missing authorization in the Drupal Paragraphs contributed module (all versions through 1.20.x) enables unauthenticated remote attackers to perform forceful browsing - directly accessing paragraph entity URLs or endpoints without passing any authorization check. The CVSS vector (PR:N/AC:L/AV:N) confirms exploitation requires no credentials against default-configured Drupal sites running the affected module. Despite an automatable attack surface, SSVC rates exploitation as none, EPSS sits at 0.13% (3rd percentile), and no active exploitation is confirmed; a vendor patch is available via Drupal SA-contrib-2026-061.
Forceful Browsing via missing authorization (CWE-862) in the Drupal Paragraphs contributed module allows remote unauthenticated users to access paragraph entities they are not authorized to view or modify, bypassing the CMS access control layer entirely. All Paragraphs releases from 0.0.0 up to but not including 1.21.0 are affected, per vendor advisory SA-CONTRIB-2026-060. Despite being automatable per SSVC analysis and network-exploitable with no privileges required, real-world exploitation risk is low: EPSS sits at 0.13% (3rd percentile), no public exploit code has been identified, and CISA has not added this to KEV.
Missing authorization in the Drupal Paragraphs contributed module (all versions through 1.20.x) enables unauthenticated remote attackers to perform forceful browsing - directly accessing paragraph entity URLs or endpoints without passing any authorization check. The CVSS vector (PR:N/AC:L/AV:N) confirms exploitation requires no credentials against default-configured Drupal sites running the affected module. Despite an automatable attack surface, SSVC rates exploitation as none, EPSS sits at 0.13% (3rd percentile), and no active exploitation is confirmed; a vendor patch is available via Drupal SA-contrib-2026-061.
Forceful Browsing via missing authorization (CWE-862) in the Drupal Paragraphs contributed module allows remote unauthenticated users to access paragraph entities they are not authorized to view or modify, bypassing the CMS access control layer entirely. All Paragraphs releases from 0.0.0 up to but not including 1.21.0 are affected, per vendor advisory SA-CONTRIB-2026-060. Despite being automatable per SSVC analysis and network-exploitable with no privileges required, real-world exploitation risk is low: EPSS sits at 0.13% (3rd percentile), no public exploit code has been identified, and CISA has not added this to KEV.