The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.
Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the “access in-place editing” permission from untrusted users will not fully mitigate the vulnerability.
This advisory is not covered by Drupal Steward.
Install the latest version:
If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core does not include the QuickEdit module and therefore is not affected.
Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.
Greg Knaddison of the Drupal Security Team
Jess of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Vijay Mani
Heine of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Adam G-H
Drew Webber of the Drupal Security Team
Théodore Biadala
More Stories
[IWCC 2025] CfP: 14th International Workshop on Cyber Crime – Ghent, Belgium, Aug 11-14, 2025
Posted by Artur Janicki via Fulldisclosure on Apr 26 [APOLOGIES FOR CROSS-POSTING] CALL FOR PAPERS 14th International Workshop on Cyber...
Inedo ProGet Insecure Reflection and CSRF Vulnerabilities
Posted by Daniel Owens via Fulldisclosure on Apr 26 Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of...
Ruby on Rails Cross-Site Request Forgery
Posted by Daniel Owens via Fulldisclosure on Apr 26 Good morning. All current versions and all versions since the 2022/2023...
Microsoft “.library-ms” File / NTLM Information Disclosure (Resurrected 2025)
Posted by hyp3rlinx on Apr 26 [-] Microsoft ".library-ms" File / NTLM Information Disclosure Spoofing (Resurrected 2025) / CVE-2025-24054 [+]...
kappanhang-0-0.3.20250427gitdffb773.fc41
FEDORA-2025-eecb0ea534 Packages in this update: kappanhang-0-0.3.20250427gitdffb773.fc41 Update description: Update to git snapshot dffb773 Read More
A Vulnerability in SAP NetWeaver Visual Composer Could Allow for Remote Code Execution
A vulnerability has been discovered in SAP NetWeaver Visual Composer, which could allow for remote code execution. SAP NetWeaver Visual...