CVE-2026-3211

CVE-2026-3211: Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

Vendor Drupal
Product Theme Negotiation by Rules
Weakness CWE-352 · CSRF
Published March 25, 2026
Last update March 26, 2026

CVSS base score

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Theme Negotiation by Rules module for Drupal contains a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious link or page that, when visited by a site administrator, performs unwanted actions on the site without their knowledge. Update to version 1.2.1 or later to fix this issue.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions on the site by tricking an administrator into visiting a malicious page.

Potential impact on your site

04Site Impact

An attacker can modify theme settings or other site configuration if an admin visits a malicious link.

Conditions required to exploit

05Prerequisites

An administrator must visit a page controlled by the attacker; no special access or authentication bypass needed.

Key dates

06Disclosure timeline

March 25, 2026 CVE published
March 26, 2026 Record updated