{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0748", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-08T19:50:35.556Z", "datePublished": "2026-03-26T21:17:37.769Z", "dateUpdated": "2026-03-27T13:55:09.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T21:17:37.769Z"}, "title": "Access bypass in Drupal 7 i18n_node translation UI", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Abuse"}]}], "affected": [{"vendor": "Drupal", "product": "Internationalization (i18n) - i18n_node submodule", "collectionURL": "https://www.drupal.org/project/i18n", "packageName": "i18n_node", "repo": "https://git.drupalcode.org/project/i18n", "versions": [{"status": "affected", "version": "7.x-1.0", "lessThanOrEqual": "7.x-1.35", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. <br><br>Exploit affects versions 7.x-1.0 up to and including 7.x-1.35."}]}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/node/86", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Tat\u00e1r Bal\u00e1zs J\u00e1nos (tatarbj)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:32:21.676472Z", "id": "CVE-2026-0748", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:09.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Access bypass in Drupal 7 i18n_node translation UI", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Tat\u00e1r Bal\u00e1zs J\u00e1nos (tatarbj)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/i18n", "vendor": "Drupal", "product": "Internationalization (i18n) - i18n_node submodule", "versions": [{"status": "affected", "version": "7.x-1.0", "versionType": "custom", "lessThanOrEqual": "7.x-1.35"}], "packageName": "i18n_node", "collectionURL": "https://www.drupal.org/project/i18n", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/node/86", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.", "supportingMedia": [{"type": "text/html", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. <br><br>Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T21:17:37.769Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0748", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:32:21.676472Z"}}}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:32:14.892Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-0748", "state": "PUBLISHED", "dateUpdated": "2026-03-26T21:17:37.769Z", "dateReserved": "2026-01-08T19:50:35.556Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T21:17:37.769Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35."}, {"lang": "es", "value": "En el m\u00f3dulo Internationalization (i18n) de Drupal 7, el subm\u00f3dulo i18n_node permite a un usuario con ambos permisos de 'Traducir contenido' y 'Administrar traducciones de contenido' ver y adjuntar nodos no publicados a trav\u00e9s de la interfaz de usuario de traducci\u00f3n y su widget de autocompletado. Esto elude los controles de acceso previstos y revela los t\u00edtulos e IDs de nodos no publicados. El exploit afecta a las versiones 7.x-1.0 hasta la 7.x-1.35 inclusive."}], "id": "CVE-2026-0748", "lastModified": "2026-03-27T15:16:46.307", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T22:16:27.100", "references": [{"source": "[email protected]", "url": "https://d7es.tag1.com/node/86"}, {"source": "[email protected]", "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.x-1.0,7.x-1.35]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Internationalization (i18n) - i18n_node submodule", "source": "cna", "vendor": "Drupal"}, "product": "internationalization", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T22:20:39.063421+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal 7 i18n module to version 7.x-1.36 or later.", "Review and remove the combination of Translate content and Administer content translations permissions from users that do not need them.", "If an immediate update is not possible, restrict access to the translation UI in the administrative settings until a patched version is available."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Drupal 7 Internationalization (i18n) module, specifically the i18n_node submodule, for all releases from 7.x-1.0 through 7.x-1.35. Sites running any of these versions are impacted unless they have removed the vulnerable module or patched it.", "description_and_impact": "Drupal 7 Internationalization (i18n) module contains a flaw in the i18n_node submodule that allows a user who holds both the Translate content and Administer content translations permissions to use the translation UI and its autocomplete widget to view and attach unpublished nodes. Because the module does not enforce the intended access controls in this context, the titles and IDs of unpublished nodes are exposed, resulting in the disclosure of normally protected content. The weakness is a classic example of improper authorization in authentication and authorization (CWE\u2011284).", "risk_and_exploitability": "The CVSS v3 score for this issue is 5.3, indicating moderate severity. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack vector is inferred to be web-based; an attacker requires the two noted permissions, which may be granted to users with translation responsibilities. With those permissions, the attacker can enumerate unpublished content via the UI, potentially using the data for further attacks such as social engineering or prior to finding other vulnerabilities."}}}}, "created": "2026-03-27T08:31:42.964377+00:00", "updated": "2026-03-27T09:23:09.466873+00:00", "vendors": ["drupal", "drupal$PRODUCT$internationalization"]}