CVE-2025-12760: Drupal Email TFA allows Functionality Bypass

November 18, 2025 (updated November 19, 2025)

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TFA: from 0.0.0 before 2.0.6.

References

git.drupalcode.org/project/email_tfa
github.com/advisories/GHSA-9jrw-jrrj-p6fr
nvd.nist.gov/vuln/detail/CVE-2025-12760
www.drupal.org/sa-contrib-2025-115

Code Behaviors & Features

Detect and mitigate CVE-2025-12760 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →