—

DRUPAL-CONTRIB-2026-052

Details

This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote.

The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "give feedback". Note: "give feedback" is granted to anonymous and authenticated by default on install.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/admin_feedback

Introduced in: 0 Fixed in: 2.8.0

Upgrade drupal/admin_feedback to 2.8.0 or newer (ecosystem packagist:https://packages.drupal.org/8).

References

https://www.drupal.org/sa-contrib-2026-052 [WEB]