Drupal.org published a July 8, 2026 contributed-project security batch that Drupal site owners and hosting teams should review before the next maintenance window. The highest-priority items are three critical projects that Drupal’s security team marked unsupported, plus a critical Location Selector SQL injection fix tracked as SA-CONTRIB-2026-072 and CVE-2026-15081.
This is a backup-first change. Before removing or updating modules on a live Drupal site, take a database backup, preserve the codebase and Composer files, back up the files directory, export configuration, and confirm that you can restore if an update changes site behavior.
What Drupal Published
- Location Selector – SA-CONTRIB-2026-072 / CVE-2026-15081: critical SQL injection risk in affected Location Selector versions before 8.x-1.3. Drupal lists Location Selector 8.x-1.3 as the fixed release.
- Commerce guest registration – SA-CONTRIB-2026-079 / CVE-2026-15089: critical unsupported project. Drupal’s action is to uninstall it if present.
- Clean RESTful – SA-CONTRIB-2026-078 / CVE-2026-15087: critical unsupported project. Drupal’s action is to uninstall it if present.
- Raw Formatter [Meta Tag Formatter] – SA-CONTRIB-2026-077 / CVE-2026-15086: critical unsupported project. Drupal’s action is to uninstall it if present.
- AI SEO/GEO Analyzer – SA-CONTRIB-2026-076 / CVE-2026-15085: moderately critical stored cross-site scripting risk in generated report display.
- UI Patterns – SA-CONTRIB-2026-075 / CVE-2026-15084: moderately critical cross-site scripting risk in component markup handling.
- ECA Render submodule – SA-CONTRIB-2026-074 / CVE-2026-15083: less critical information disclosure risk in specific render model use.
- Siteimprove Analytics – SA-CONTRIB-2026-073 / CVE-2026-15082: moderately critical cross-site scripting risk tied to tracking code handling.
- Ray Enterprise Translation – SA-CONTRIB-2026-071 / CVE-2026-15080: moderately critical cross-site request forgery risk on state-changing administrative actions.
- Login Disable – SA-CONTRIB-2026-070 / CVE-2026-15079: moderately critical access bypass risk addressed with additional flood control.
Admin Checklist
- Search Composer manifests and Drupal’s extension list for the affected project machine names before touching production.
- If Commerce guest registration, Clean RESTful, or Raw Formatter [Meta Tag Formatter] is installed, plan removal rather than waiting for a patch from the abandoned project.
- If Location Selector is installed, update to Location Selector 8.x-1.3 or later, then verify any Views filters that accept visitor input.
- Patch the moderate-risk modules if they are installed, especially where editors, site builders, or administrators can trigger the affected workflows.
- Clear Drupal caches, rebuild routes if needed, and verify key public pages, admin pages, forms, Views, multilingual workflows, analytics behavior, and login behavior.
- After the maintenance window, review Drupal logs, web server logs, and database error logs for failed requests or module-related exceptions.
Hosting Notes
For agencies and hosting teams, the unsupported-project advisories are the ones most likely to surprise clients because the safe fix may be removal or replacement. Inventory first, explain the impact, and do not delete a production module until you know whether the site depends on it for checkout, content display, reporting, analytics, translations, or access control.
For the Location Selector issue, prioritize sites where public Views accept location input. Drupal lists the risk as critical, but also notes that exposure depends on an affected View using the vulnerable filter and accepting user input. That means the practical task is to patch first, then verify the Views configuration instead of assuming every Drupal install is exposed the same way.
Sources
- Drupal.org security advisories
- Location Selector – Critical – SQL Injection – SA-CONTRIB-2026-072
- Commerce guest registration – Critical – Unsupported – SA-CONTRIB-2026-079
- Clean RESTful – Critical – Unsupported – SA-CONTRIB-2026-078
- Raw Formatter [Meta Tag Formatter] – Critical – Unsupported – SA-CONTRIB-2026-077


