{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0748", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-08T19:50:35.556Z", "datePublished": "2026-03-26T21:17:37.769Z", "dateUpdated": "2026-03-27T13:55:09.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T21:17:37.769Z"}, "title": "Access bypass in Drupal 7 i18n_node translation UI", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Abuse"}]}], "affected": [{"vendor": "Drupal", "product": "Internationalization (i18n) - i18n_node submodule", "collectionURL": "https://www.drupal.org/project/i18n", "packageName": "i18n_node", "repo": "https://git.drupalcode.org/project/i18n", "versions": [{"status": "affected", "version": "7.x-1.0", "lessThanOrEqual": "7.x-1.35", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. <br><br>Exploit affects versions 7.x-1.0 up to and including 7.x-1.35."}]}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/node/86", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Tat\u00e1r Bal\u00e1zs J\u00e1nos (tatarbj)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:32:21.676472Z", "id": "CVE-2026-0748", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:09.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0748", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:32:21.676472Z"}}}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:32:14.892Z"}}], "cna": {"title": "Access bypass in Drupal 7 i18n_node translation UI", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Tat\u00e1r Bal\u00e1zs J\u00e1nos (tatarbj)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/i18n", "vendor": "Drupal", "product": "Internationalization (i18n) - i18n_node submodule", "versions": [{"status": "affected", "version": "7.x-1.0", "versionType": "custom", "lessThanOrEqual": "7.x-1.35"}], "packageName": "i18n_node", "collectionURL": "https://www.drupal.org/project/i18n", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/node/86", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.", "supportingMedia": [{"type": "text/html", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. <br><br>Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T21:17:37.769Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0748", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:55:09.117Z", "dateReserved": "2026-01-08T19:50:35.556Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T21:17:37.769Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:internationalization_project:internationalization:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "7CA4C6BB-F2EE-4207-95F1-BADE7B086C4F", "versionEndIncluding": "7.x-1.35", "versionStartIncluding": "7.x-1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35."}, {"lang": "es", "value": "En el m\u00f3dulo Internationalization (i18n) de Drupal 7, el subm\u00f3dulo i18n_node permite a un usuario con ambos permisos de 'Traducir contenido' y 'Administrar traducciones de contenido' ver y adjuntar nodos no publicados a trav\u00e9s de la interfaz de usuario de traducci\u00f3n y su widget de autocompletado. Esto elude los controles de acceso previstos y revela los t\u00edtulos e IDs de nodos no publicados. El exploit afecta a las versiones 7.x-1.0 hasta la 7.x-1.35 inclusive."}], "id": "CVE-2026-0748", "lastModified": "2026-04-01T16:22:14.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mlhess@drupal.org", "type": "Secondary"}]}, "published": "2026-03-26T22:16:27.100", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://d7es.tag1.com/node/86"}, {"source": "mlhess@drupal.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "mlhess@drupal.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.x-1.0,7.x-1.35]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Internationalization (i18n) - i18n_node submodule", "source": "cna", "vendor": "Drupal"}, "product": "internationalization", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-02T02:58:39.879630+00:00", "value": {"mitigation_remediation": ["Upgrade the i18n module to version 7.x-1.36 or later.", "If an upgrade is not immediately possible, revoke the \"Administer content translations\" permission from all but the most trusted roles, ensuring no single user has both required permissions.", "As a temporary measure, disable the translation autocomplete widget in the module\u2019s configuration to stop the specific disclosure path.", "Confirm that no users hold the combination of both permissions after remediation is applied."], "summary": {"action": "Patch Now", "impact": "Access Bypass/Information Disclosure"}, "threat_synthesis": {"affected_systems": "All Drupal 7 sites that have the i18n module installed between versions 7.x-1.0 and 7.x-1.35 are affected. The issue is limited to the i18n_node submodule of the Internationalization project and applies to any Drupal 7 instance that includes this module in that version range.", "description_and_impact": "The vulnerability in the Drupal 7 Internationalization i18n module\u2019s i18n_node submodule allows a user who holds both the \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes through the translation UI and its autocomplete widget. This bypasses normal access controls, exposing unpublished node titles and identifiers to those users. The weakness lies in insufficient permission checks before exposing unpublished content, which aligns with CWE-276 and CWE-284.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity level. With an EPSS score below 1% and no presence in the CISA KEV catalog, the overall likelihood of exploitation is low, although not negligible. The probably attack vector is through the web-based translation interface, where an authenticated user with the required permissions could trigger the information disclosure by accessing the autocomplete functionality. No external preconditions beyond existing permissions are needed for exploitation."}}}}, "created": "2026-03-27T08:31:42.964377+00:00", "updated": "2026-04-02T07:56:16.540091+00:00", "vendors": ["drupal", "drupal$PRODUCT$internationalization"]}