CVE-2026-0748

medium

Description

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

References

https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7

https://www.herodevs.com/vulnerability-directory/cve-2026-0748

https://d7es.tag1.com/node/86

Details

Source: Mitre, NVD

Published: 2026-03-26

Updated: 2026-03-27

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 5.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00031