{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3210", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:24.447Z", "datePublished": "2026-03-25T15:21:43.470Z", "dateUpdated": "2026-03-26T14:34:55.742Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:43.470Z"}, "title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011", "datePublic": "2026-02-25T18:43:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "Material Icons", "collectionURL": "https://www.drupal.org/project/material_icons", "repo": "https://git.drupalcode.org/project/material_icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.<p>This issue affects Material Icons: from 0.0.0 before 2.0.4.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-011"}], "credits": [{"lang": "en", "value": "Jen M (jannakha)", "type": "finder"}, {"lang": "en", "value": "Bryan Sharpe (b_sharpe)", "type": "remediation developer"}, {"lang": "en", "value": "Jen M (jannakha)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Ra M\u00c3\u00a4nd (ram4nd)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:02:52.139144Z", "id": "CVE-2026-3210", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:34:55.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:02:52.139144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:03:07.380Z"}}], "cna": {"title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jen M (jannakha)"}, {"lang": "en", "type": "remediation developer", "value": "Bryan Sharpe (b_sharpe)"}, {"lang": "en", "type": "remediation developer", "value": "Jen M (jannakha)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Ra M\u00c3\u00a4nd (ram4nd)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/material_icons", "vendor": "Drupal", "product": "Material Icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/material_icons", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:43:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-011"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.<p>This issue affects Material Icons: from 0.0.0 before 2.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:43.470Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3210", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:34:55.742Z", "dateReserved": "2026-02-25T16:59:24.447Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:21:43.470Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagexmedia:material_icons:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "F1D849DD-94CE-441A-B0A0-7D338F5078C5", "versionEndExcluding": "2.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal Material Icons permite la navegaci\u00f3n forzada. Este problema afecta a Material Icons: desde 0.0.0 hasta antes de 2.0.4."}], "id": "CVE-2026-3210", "lastModified": "2026-03-31T19:22:12.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.940", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-011"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Material Icons", "source": "cna", "vendor": "Drupal"}, "product": "material_icons", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-01T05:48:32.712207+00:00", "value": {"mitigation_remediation": ["Update the Material Icons module to version 2.0.4 or later.", "Verify that the updated module retains proper authorization checks in your Drupal environment."], "summary": {"action": "Patch immediately", "impact": "Unauthorized access via forceful browsing"}, "threat_synthesis": {"affected_systems": "Drupal website operators using the Material Icons module are impacted. Versions starting from the initial release up to, but not including, 2.0.4 are vulnerable. If your site runs an older version of this module on Drupal, it is at risk.", "description_and_impact": "The vulnerability arises from incorrect authorization checks in Drupal's Material Icons module. An attacker can forcefully browse to assets or URLs that should be restricted, exposing potentially sensitive content. This weakness maps to CWE\u2011863, which deals with improper authorization. The primary consequence is that users or attackers gain access to resources that should be protected, undermining confidentiality but not directly affecting system availability or integrity.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1\u202f% suggests that the exploit probability is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely exploit the flaw by manipulating URLs or requests to access the protected content, a typical forceful browsing scenario. While exploitation risk remains moderate, the potential impact on confidential material warrants prompt attention."}}}}, "created": "2026-03-25T21:31:05.483782+00:00", "updated": "2026-04-02T07:59:14.767457+00:00", "vendors": ["drupal", "drupal$PRODUCT$material_icons"]}