CVE-2026-3211 PUBLISHED

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

Assigner: drupal
Reserved: 25.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.

Product Status

Vendor	Drupal
Product	Theme Negotiation by Rules
Versions	Default: unaffected affected from 0.0.0 to 1.2.1 (excl.)

Credits

Juraj Nemec (poker10) finder
Zoltan Attila Horvath (huzooka) remediation developer
Juraj Nemec (poker10) remediation developer
Damien McKenna (damienmckenna) coordinator
Greg Knaddison (greggles) coordinator
Juraj Nemec (poker10) coordinator
Jess (xjm) coordinator

References

https://www.drupal.org/sa-contrib-2026-012

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF) CWE

Impacts

CAPEC-62 Cross Site Request Forgery