Drupal 7 Security Roundup: Eight CVEs Resolved in Contrib Modules (April 2026)

As a trusted leader in the open source ecosystem, HeroDevs specializes in providing secure, Never-Ending Support (NES) for open source software that has reached its official end-of-life. Our NES solutions empower organizations to maintain business continuity without the pressure of forced upgrades, offering the freedom to plan migrations on your own timeline.

At HeroDevs, that's our mission: secure open source. We do it in two ways:

‍

1. Remediating known CVEs across critical ecosystems, and
2. Proactively researching vulnerabilities before attackers can exploit them.

This post covers eight CVEs recently resolved across Drupal 7 contrib modules, ranging from Low to High severity. Drupal 7 reached end-of-life on January 5, 2025. The Drupal open source project no longer issues security updates for Drupal 7 or the contrib modules that run on it. Every CVE in this roundup has no upstream fix available for Drupal 7 sites. All eight have been resolved for NES for Drupal customers.

‍

Drupal 7 CVEs Fixed by HeroDevs

‍

High Severity Vulnerabilities

CVE-2025-9551: Access Control Bypass in Protected Pages 

The Protected Pages module restricts access to specified pages by requiring a password. This CVE-2025-9551 allows attackers to bypass those controls, reaching content the site owner intended to keep restricted. An attacker who knows or can discover the URL of a password-protected page can automate credential guessing until the correct password is found. 

A high severity vulnerability, the practical impact scales with what is behind the protection. Sites using Protected Pages for internal content, staged releases, or member-restricted pages should prioritize this fix. This is resolved for NES for Drupal customers.

‍

Medium Severity Vulnerabilities

CVE-2026-3530, CVE-2026-3531, CVE-2026-3532: Three Vulnerabilities in OpenID Connect

Three separate CVEs were resolved in the OpenID Connect module for Drupal 7 in this cycle:

• CVE-2026-3530 (Information Exposure)
• CVE-2026-3531 (Authorization Bypass)
• CVE-2026-3532 (Broken Access Control)

The OpenID Connect module handles third-party authentication flows, connecting Drupal 7 sites to external identity providers. Vulnerabilities in authentication components carry inherent risk regardless of individual CVSS scores: a compromise of the login pathway can cascade into account takeover or privilege escalation.

Three distinct issues in a single module within the same release cycle is itself a signal. Sites using OpenID Connect for user authentication should treat this cluster as a priority. All three are resolved for NES for Drupal customers.

‍

CVE-2026-3214: Vulnerability in CAPTCHA Module

CVE-2026-3214 affects the CAPTCHA module for Drupal 7. The CAPTCHA module is among the most widely deployed Drupal contrib modules, used to protect forms from automated abuse: contact forms, registration flows, comment fields, login pages. A vulnerability in CAPTCHA has potential downstream impact for every form it is protecting. Due to a flaw in how the module handled the hidden CAPTCHA session ID and one-time token, the code could still accept a previously solved CAPTCHA session during later form processing instead of forcing a fresh challenge.  An attacker could solve one CAPTCHA legitimately, capture the associated hidden form values such as captcha_sid and captcha_token, and reuse them to bypass subsequent CAPTCHA challenges. This CVE is resolved for NES for Drupal customers.

‍

CVE-2026-4093: Vulnerability in Term Reference Tree Widget

CVE-2026-4093 affects the Term Reference Tree Widget module for Drupal 7. It provides hierarchical content selection UI components, commonly used in taxonomy and term reference fields. A cross-site scripting issue in the Term Reference Tree Widget allows malicious markup to be injected into the rendered term tree, potentially executing in a user’s browser when the widget is displayed. This CVE is resolved for NES for Drupal customers.

‍

CVE-2026-4929: Vulnerability in SHS Module

CVE-2026-4929 affects the SHS module for Drupal 7, which enables hierarchical select field interactions for structured content entry. SHS contains a cross-site scripting (XSS) weakness that can allow malicious markup in term labels to be rendered in the term tree or field output, potentially executing in a user’s browser. This vulnerability can expose malicious markup in rendered output and may lead to XSS when inserted into unsafe HTML contexts.

NES customers get immediate access to a patched version of this module.

‍

Low Severity Vulnerability

CVE-2026-1917: Vulnerability in Login Disable Module

CVE-2026-1917 affects the Login Disable module for Drupal 7. This module is used to block user logins during maintenance windows or controlled outage periods. A non-form login endpoint in Drupal 7 contrib could bypass the login form entirely, complete login through Drupal's normal login finalization flow, and avoid the module's access-key check. This low-severity vulnerability affects all versions of the Login Disable module for Drupal 7. 

Low severity does not mean zero risk. For sites that rely on Login Disable as a maintenance-mode control, this is worth addressing. NES customers get immediate access to a patched version of this module.

‍

Drupal 7 Is End-of-Life: What That Means for These CVEs

‍

When Drupal 7 reached end-of-life on January 5, 2025, the Drupal project stopped releasing updates. Every vulnerability disclosed after that date has no official fix from the open source project. That includes all eight CVEs in this roundup. Sites running Drupal 7 without NES are exposed with no patch path available from upstream.

‍

Why These CVE Fixes Matter

Drupal 7 reached end-of-life in January 2025, which means no security patches come from the Drupal project anymore. That's not a theoretical risk: this roundup alone covers eight vulnerabilities across modules that handle authentication, form protection, access control, and content rendering. These aren't obscure edge cases. OpenID Connect manages how users log in. CAPTCHA protects every public-facing form. Protected Pages guards content the site owner explicitly decided to restrict.

The other dynamic worth noting is the OpenID Connect cluster. Three separate CVEs in one module in a single release cycle points to a component that deserved a closer look, and got one. That kind of targeted attention to a high-value attack surface is exactly what EOL software stops receiving from its upstream maintainers after support ends.

It’s also important to note that CVE severity is built from a set of metrics: attack vector (network vs. local vs. physical), attack complexity, privileges required, user interaction, and the CIA impact (Confidentiality, Integrity, Availability). A "Low" or "Medium" rating usually comes from one or more of these points dragging the score down. But in an insider attack, someone with existing access can readily exploit Low or Medium severity CVEs. More damaging still, a chained exploit linking three or more CVEs together, even with low severity ones, can escalate into a serious data breach or cyberattack.

For organizations still on Drupal 7, the question isn't whether vulnerabilities will keep appearing. They will. The question is whether there's a patch path when they do.

‍

Taking Action

If your organization is running Drupal 7 in production, talk to the HeroDevs team about what NES covers and how implementation works. It's a conversation worth having before your next audit, not after.

For more about Drupal 7 extended security support, visit HeroDevs NES for Drupal and the HeroDevs Vulnerability Directory to learn more about NES.

‍

FAQ

Do these CVEs affect Drupal 10 and 11? 

No. All eight CVEs in this roundup are specific to Drupal 7 contrib modules. Sites running Drupal 10 or 11 should verify they are on a current patch release, but these vulnerabilities do not apply to supported Drupal versions.

Does NES for Drupal 7 cover contrib modules, or just Drupal core? 

NES for Drupal 7 covers both Drupal 7 core and a growing library of contrib modules, including all eight modules in this roundup. When a vulnerability is discovered in a covered module, HeroDevs resolves it and delivers the fix through the NES update channel.

If my site uses a WAF or other perimeter controls, am I protected without patching? 

Perimeter controls can reduce exposure for some of these vulnerabilities, particularly brute force attacks like CVE-2025-9551, where rate limiting at the WAF level can slow an attacker down. But they are mitigations, not fixes. CVE-2026-3532 (case sensitivity handling in OpenID Connect) and CVE-2026-4929 (XSS in SHS term output) involve application-layer logic that WAF rules cannot reliably intercept. The only complete remediation is a code-level fix.

Is the HeroDevs Vulnerability Directory up to date?

Yes, the fix dates listed in the HeroDevs vulnerability directory reflect when the resolution was delivered to NES customers.