PT-2026-22083 · Drupal+2 · Theme Negotiation By Rules+1

Damien Mckenna

Publicado

2026-02-25

Atualizado

2026-03-30

CVE-2026-3211

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Drupal Theme Negotiation by Rules versions prior to 1.2.1

Description A Cross-Site Request Forgery (CSRF) issue exists in the Theme Negotiation by Rules module. The module allows site builders to create “theme rule” config entities to render pages with different themes based on specific conditions. The module utilizes a simple GET request to disable or enable theme rules, enabling attackers to manipulate these rules by deceiving site administrators into clicking malicious links. Successful exploitation requires the attacker to know the machine name of the theme rule.

Recommendations Update to version 1.2.1 or later.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

CVE-2026-3211

DRUPAL-CONTRIB-2026-012

Produtos afetados

Theme Negotiation By Rules

Drupal/Theme Rule

PT-2026-22083 · Drupal+2 · Theme Negotiation By Rules+1

CVE-2026-3211

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5