Drupal security advisory (AV26-676)