Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Problem types
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Product status
10.6.0 (semver) before 10.6.11
11.2.0 (semver) before 11.2.14
11.3.0 (semver) before 11.3.12
0.0.0 (semver) before 11.0.*
0.0.0 (semver) before 11.1.*
Credits
Melih Acikoz
Michael Winser (michaelwinser)
Willem Drupal enthousiast (willempje2)
Lee Rowlands (larowlan)
catch (catch)
cilefen (cilefen)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
References
www.drupal.org/sa-core-2026-007