CVE-2026-3216

CVE-2026-3216: Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017

Vendor Drupal
Product Drupal Canvas
Weakness CWE-918 · SSRF
Published March 25, 2026
Last update March 27, 2026

CVSS base score

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Drupal Canvas module contains a server-side request forgery (SSRF) vulnerability that allows an attacker to make the site send HTTP requests to internal or external systems on the attacker's behalf. The vulnerability affects all versions before 1.1.1. Site administrators should update immediately to patch the flaw.

What an attacker can do

03Attacker Capabilities

Make the site send HTTP requests to internal systems or external URLs under the attacker's control.

Potential impact on your site

04Site Impact

Attackers could access internal services, exfiltrate data, or pivot to other systems on your network.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack vector details unavailable due to incomplete CVSS data.

Key dates

06Disclosure timeline

March 25, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

08Related CVE