CVE-2026-3216 PUBLISHED

Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017

Assigner: drupal
Reserved: 25.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.

Product Status

Vendor Drupal
Product Drupal Canvas
Versions Default: unaffected
  • affected from 0.0.0 to 1.1.1 (excl.)

Credits

  • Drew Webber (mcdruid) finder
  • Bálint Kléri (balintbrews) remediation developer
  • Ignacio Sánchez Holgueras (isholgueras) remediation developer
  • Drew Webber (mcdruid) remediation developer
  • Narendra Singh Rathore (narendrar) remediation developer
  • Christian López Espínola (penyaskito) remediation developer
  • Tim Plunkett (tim.plunkett) remediation developer
  • Greg Knaddison (greggles) coordinator
  • Drew Webber (mcdruid) coordinator
  • Juraj Nemec (poker10) coordinator
  • Jess (xjm) coordinator

References

Problem Types

  • CWE-918 Server-Side Request Forgery (SSRF) CWE

Impacts

  • CAPEC-664 Server Side Request Forgery