平台
drupal
组件
drupal
修复版本
1.2.1
1.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in Drupal Theme Negotiation by Rules, impacting versions up to 1.2.1. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications of the site's configuration or data. The vulnerability has been published on 2026-03-25, and a patch is available in version 1.2.1.
The CSRF vulnerability in Drupal Theme Negotiation by Rules allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify theme negotiation rules, potentially altering how the site renders content or redirects users. This could lead to defacement, redirection to malicious websites, or even the execution of arbitrary code if the theme negotiation rules are exploited in conjunction with other vulnerabilities. The blast radius extends to any user with access to the administrative interface, as their actions could be hijacked.
This vulnerability is currently not known to be actively exploited. It was publicly disclosed on 2026-03-25. No public proof-of-concept exploits are currently available. The vulnerability has not been added to the CISA KEV catalog.
Drupal sites utilizing the Theme Negotiation by Rules module, particularly those running versions prior to 1.2.1, are at risk. Sites with less stringent security practices or those that haven't implemented CSRF protection mechanisms are particularly vulnerable.
• drupal:
find /var/www/html -name 'theme_negotiation_by_rules.module' -print0 | xargs -0 grep -i 'DRUPAL_CORE_VERSION' • generic web:
curl -I https://your-drupal-site.com/ | grep -i 'content-type'disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CVSS 向量
The primary mitigation for CVE-2026-3211 is to immediately upgrade Drupal Theme Negotiation by Rules to version 1.2.1 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data used in theme negotiation rules. Implementing a CSRF protection mechanism, such as a token system, can also help mitigate the risk. After upgrading, confirm the fix by attempting to submit a malicious request and verifying that it is blocked.
将 Theme Negotiation by Rules 模块更新到 1.2.1 或更高版本。此版本修复了 CSRF 漏洞。您可以从 drupal.org 上的项目页面下载最新版本,或通过 Composer 进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3211 is a Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules that allows attackers to perform unauthorized actions.
You are affected if you are using Drupal Theme Negotiation by Rules versions ≤1.2.1. Upgrade to 1.2.1 to mitigate the risk.
Upgrade Drupal Theme Negotiation by Rules to version 1.2.1 or later. Consider implementing CSRF protection mechanisms if immediate upgrade is not possible.
Currently, there are no reports of CVE-2026-3211 being actively exploited, but it is important to apply the patch promptly.
Refer to the official Drupal security advisory for detailed information and updates regarding CVE-2026-3211.
上传你的 composer.lock 文件,立即知道是否受影响。