SB2026062514 - Multiple vulnerabilities in Paragraphs module for Drupal
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-13240)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently restrict access to unpublished library items in lists. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.
2) Improper access control (CVE-ID: CVE-2026-13241)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently restrict access to direct child paragraphs of library items through API endpoints. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Remediation
Install update from vendor's website.