PT-2026-22083 · Drupal+2 · Theme Negotiation By Rules+1
Damien Mckenna
+3
·
Published
2026-02-25
·
Updated
2026-03-30
·
CVE-2026-3211
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal Theme Negotiation by Rules versions prior to 1.2.1
Description
A Cross-Site Request Forgery (CSRF) issue exists in the Theme Negotiation by Rules module. The module allows site builders to create “theme rule” config entities to render pages with different themes based on specific conditions. The module utilizes a simple GET request to disable or enable theme rules, enabling attackers to manipulate these rules by deceiving site administrators into clicking malicious links. Successful exploitation requires the attacker to know the machine name of the theme rule.
Recommendations
Update to version 1.2.1 or later.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Theme Negotiation By Rules
Drupal/Theme Rule