Medium severity4.3NVD Advisory· Published Mar 26, 2026· Updated Apr 1, 2026
CVE-2026-0748
CVE-2026-0748
Description
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.
Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
Affected products
1- cpe:2.3:a:internationalization_project:internationalization:*:*:*:*:*:drupal:*:*Range: >=7.x-1.0,<=7.x-1.35
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.herodevs.com/vulnerability-directory/cve-2026-0748nvdExploitThird Party Advisory
- www.herodevs.com/vulnerability-directory/cve-2026-0748nvdExploitThird Party Advisory
- d7es.tag1.com/node/86nvdThird Party Advisory
News mentions
2- European Cybersecurity Agency ENISA Seeks Top-Tier Status in CVE ProgramInfosecurity Magazine · Apr 15, 2026
- AI Companies to Play Bigger Role in CVE Program, Says CISAInfosecurity Magazine · Apr 15, 2026