Medium severity5.0NVD Advisory· Published Mar 25, 2026· Updated Mar 31, 2026

CVE-2026-3216

Description

Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.

Affected products

Drupal Canvas Project/Drupal Canvas
cpe:2.3:a:drupal_canvas_project:drupal_canvas:*:*:*:*:*:drupal:*:*
Range: <1.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.drupal.org/sa-contrib-2026-017nvdVendor Advisory

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

5.0/ 10

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Changed
Confidentiality: Low
Integrity: None
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.33medium

cvss	0.325
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

CVE ID

CVE-2026-3216

Credits

DW
Drew Webber (mcdruid)
finder
DW
Drew Webber (mcdruid)
coordinator
GK
Greg Knaddison (greggles)
coordinator
J(
Jess (xjm)
coordinator
JN
Juraj Nemec (poker10)
coordinator
CL
Christian LÃ³pez EspÃnola (penyaskito)
remediation developer
DW
Drew Webber (mcdruid)
remediation developer
IS
Ignacio SÃ¡nchez Holgueras (isholgueras)
remediation developer
NS
Narendra Singh Rathore (narendrar)
remediation developer
TP
Tim Plunkett (tim.plunkett)
remediation developer