{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3210", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:24.447Z", "datePublished": "2026-03-25T15:21:43.470Z", "dateUpdated": "2026-03-25T20:03:11.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:43.470Z"}, "title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011", "datePublic": "2026-02-25T18:43:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "Material Icons", "collectionURL": "https://www.drupal.org/project/material_icons", "repo": "https://git.drupalcode.org/project/material_icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.<p>This issue affects Material Icons: from 0.0.0 before 2.0.4.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-011"}], "credits": [{"lang": "en", "value": "Jen M (jannakha)", "type": "finder"}, {"lang": "en", "value": "Bryan Sharpe (b_sharpe)", "type": "remediation developer"}, {"lang": "en", "value": "Jen M (jannakha)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Ra M\u00c3\u00a4nd (ram4nd)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:02:52.139144Z", "id": "CVE-2026-3210", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:03:11.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:02:52.139144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:03:07.380Z"}}], "cna": {"title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jen M (jannakha)"}, {"lang": "en", "type": "remediation developer", "value": "Bryan Sharpe (b_sharpe)"}, {"lang": "en", "type": "remediation developer", "value": "Jen M (jannakha)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Ra M\u00c3\u00a4nd (ram4nd)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/material_icons", "vendor": "Drupal", "product": "Material Icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/material_icons", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:43:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-011"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.<p>This issue affects Material Icons: from 0.0.0 before 2.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:43.470Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3210", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:03:11.682Z", "dateReserved": "2026-02-25T16:59:24.447Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:21:43.470Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4."}], "id": "CVE-2026-3210", "lastModified": "2026-03-25T20:16:34.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.940", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-011"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:36:44.127626+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal Material Icons module to version 2.0.4 or later", "If an upgrade cannot be performed immediately, deactivate or uninstall the module to eliminate the vulnerable code", "If icon files must remain accessible, move them outside the web\u2011accessible directory or restrict access to authenticated users", "Monitor web server logs for repeated attempts to request icon URLs to detect potential exploitation attempts"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of Drupal Material Icons from 0.0.0 up to, but not including, 2.0.4. Site owners running this module should verify whether it is installed and, if so, audit exposed icon URLs. The issue is present in the Drupal product named Material Icons across the specified affected versions.", "description_and_impact": "The Drupal Material Icons module contains an incorrect authorization check that permits forceful browsing of icon files that reside on the server. An attacker can request any file that exists within the module\u2019s directory, gaining access to assets that should be protected. This flaw is a classic example of improper authorization, where access is controlled by user\u2011controlled input. The immediate consequence is the disclosure of icon files, which could reveal design or branding information and potentially contain other sensitive data.", "risk_and_exploitability": "Public EPSS data and KEV listing for this vulnerability are not available, so the precise likelihood of exploitation is unknown. Based on the description, the most probable attack vector involves an attacker simply constructing a URL that points to a protected icon file and requesting it. Because the module lacks proper authorization checks, the response returns the file contents. Sites that host the affected module therefore face a moderate to high risk of unauthorized access. Replacing the module with version 2.0.4 or later removes this weakness."}}}}, "created": "2026-03-25T21:31:05.483782+00:00", "updated": "2026-03-25T21:31:05.483893+00:00", "vendors": []}