| CVE-2026-9082 |
critical |
9.8 |
10.0 |
|
|
|
14d ago |
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. |
| CVE-2018-7602 |
critical |
— |
10.0 |
|
|
|
8y ago |
A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site. |
| CVE-2018-7600 |
critical |
— |
10.0 |
|
|
|
8y ago |
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. |
| CVE-2020-13672 |
critical |
— |
9.5 |
|
|
|
5y ago |
Drupal core Cross-site Scripting (XSS) vulnerability |
| CVE-2016-6211 |
high |
8.8 |
8.8 |
|
|
|
10y ago |
Drupal Saving user accounts can sometimes grant the user all roles |
| CVE-2017-6381 |
high |
8.1 |
8.1 |
|
|
|
9y ago |
Drupal Remote code execution |
| CVE-2016-5385 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
HTTP Proxy header vulnerability |
| CVE-2016-3171 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Drupal arbitrary code execution |
| CVE-2016-3169 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Drupal saving user accounts can sometimes grant the user all roles |
| CVE-2016-3162 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Drupal File upload access bypass and denial of service |
| CVE-2020-13675 |
high |
— |
8.0 |
|
|
|
5y ago |
Unrestricted Upload of File with Dangerous Type in Drupal core |
| CVE-2020-13673 |
high |
— |
8.0 |
|
|
|
5y ago |
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it i… |
| CVE-2020-13677 |
high |
— |
8.0 |
|
|
|
5y ago |
Drupal core access bypass vulnerability |
| CVE-2020-13676 |
high |
— |
8.0 |
|
|
|
5y ago |
Incorrect Authorization in Drupal core |
| CVE-2020-13674 |
high |
— |
8.0 |
|
|
|
5y ago |
Cross-Site Request Forgery in Drupal core |
| CVE-2021-33829 |
high |
— |
8.0 |
|
|
|
5y ago |
ckeditor4 vulnerable to cross-site scripting |
| CVE-2020-28949 |
medium |
— |
8.0 |
|
|
|
6y ago |
PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and di… |
| CVE-2017-6919 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Drupal access control bypass vulnerability |
| CVE-2017-6379 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Drupal Cross-Site Request Forgery (CSRF) |
| CVE-2017-6377 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Drupal editor module incorrectly checks access to inline private files |
| CVE-2016-9450 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Drupal Incorrect cache context on password reset page |
| CVE-2016-3165 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Drupal Form API ignores access restrictions on submit buttons |
| CVE-2016-3163 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Drupal Brute force amplification attacks via XML-RPC |
| CVE-2011-2687 |
high |
— |
7.5 |
|
|
|
15y ago |
Drupal Access Control Bypass |
| CVE-2016-3167 |
high |
7.4 |
7.4 |
|
|
|
10y ago |
Drupal Open redirect vulnerability in the drupal_goto function |
| CVE-2016-3164 |
high |
7.4 |
7.4 |
|
|
|
10y ago |
Drupal Open Redirect |
| CVE-2016-9451 |
medium |
6.8 |
6.8 |
|
|
|
10y ago |
Drupal Open Redirect |
| CVE-2026-6366 |
medium |
6.6 |
6.6 |
|
|
|
15d ago |
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a … |
| CVE-2016-9452 |
medium |
6.5 |
6.5 |
|
|
|
10y ago |
Drupal Denial of service via transliterate mechanism |
| CVE-2016-3168 |
medium |
6.4 |
6.4 |
|
|
|
10y ago |
Drupal Reflected file download vulnerability |
| CVE-2026-6367 |
medium |
6.1 |
6.1 |
|
|
|
15d ago |
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross s… |
| CVE-2026-6365 |
medium |
6.1 |
6.1 |
|
|
|
15d ago |
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability. |
| CVE-2016-7571 |
medium |
6.1 |
6.1 |
|
|
|
10y ago |
Drupal Cross-site scripting (XSS) vulnerability |
| CVE-2016-3166 |
medium |
5.9 |
5.9 |
|
|
|
10y ago |
Drupal CRLF injection vulnerability in the drupal_set_header function |
| CVE-2021-32610 |
medium |
— |
5.5 |
|
|
|
5y ago |
RHSA-2022:7628: php:7.4 security, bug fix, and enhancement update (Moderate) |
| CVE-2020-28948 |
medium |
— |
5.5 |
|
|
|
6y ago |
RHSA-2022:6542: php:7.4 security update (Moderate) |
| CVE-2016-6212 |
medium |
5.3 |
5.3 |
|
|
|
10y ago |
Drupal Views can allow unauthorized users to see Statistics information |
| CVE-2016-3170 |
medium |
5.3 |
5.3 |
|
|
|
10y ago |
Drupal sensitive information disclosure |
| CVE-2016-9449 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
Drupal sensitive information disclosure |
| CVE-2016-7572 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
Drupal Unprivileged access to config export |
| CVE-2016-7570 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
Drupal Users without "Administer comments" can set comment visibility on nodes they can edit |
| CVE-2019-11358 |
low |
— |
3.5 |
|
|
|
7y ago |
RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) |
| CVE-2019-6340 |
unknown |
— |
2.5 |
|
|
|
7y ago |
In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. |
| CVE-2020-13671 |
unknown |
— |
1.5 |
|
|
|
6y ago |
Improper sanitization in the extension file names is present in Drupal core. |
| CVE-2024-45440 |
unknown |
— |
1.0 |
|
|
|
2y ago |
Drupal Full Path Disclosure |
| CVE-2025-13083 |
unknown |
— |
— |
|
|
|
7mo ago |
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels |
| CVE-2025-13082 |
unknown |
— |
— |
|
|
|
7mo ago |
Drupal core allows Content Spoofing |
| CVE-2025-13081 |
unknown |
— |
— |
|
|
|
7mo ago |
Drupal core allows Object Injection |
| CVE-2025-13080 |
unknown |
— |
— |
|
|
|
7mo ago |
Drupal core allows Forceful Browsing |
| CVE-2025-31675 |
unknown |
— |
— |
|
|
|
1y ago |
Drupal Core Cross-Site Scripting (XSS) Vulnerability |
| CVE-2025-31674 |
unknown |
— |
— |
|
|
|
1y ago |
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability |
| CVE-2025-31673 |
unknown |
— |
— |
|
|
|
1y ago |
Drupal Core Vulnerable to Forceful Browsing |
| CVE-2025-3057 |
unknown |
— |
— |
|
|
|
1y ago |
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages |
| CVE-2024-55638 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal core contains a potential PHP Object Injection vulnerability |
| CVE-2024-55637 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal core contains a potential PHP Object Injection vulnerability |
| CVE-2024-55636 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal core contains a potential PHP Object Injection vulnerability |
| CVE-2024-55634 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal core Access bypass |
| CVE-2024-12393 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal Core Cross-Site Scripting (XSS) |
| CVE-2024-11942 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal core vulnerable to improper error handling |
| CVE-2024-11941 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal core Denial of Service |
| CVE-2024-22362 |
unknown |
— |
— |
|
|
|
2y ago |
Drupal Denial of Service vulnerability |
| CVE-2023-5256 |
unknown |
— |
— |
|
|
|
3y ago |
Cache poisoning in drupal/core |
| CVE-2023-31250 |
unknown |
— |
— |
|
|
|
3y ago |
Access bypass in Drupal core |
| CVE-2022-39261 |
unknown |
— |
— |
|
|
|
4y ago |
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… |
| CVE-2022-25276 |
unknown |
— |
— |
|
|
|
4y ago |
Lack of domain validation in Druple core |
| CVE-2022-25277 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal core arbitrary PHP code execution |
| CVE-2022-25278 |
unknown |
— |
— |
|
|
|
4y ago |
Access bypass in Drupal Core |
| CVE-2022-25275 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal core Information Disclosure vulnerability |
| CVE-2022-31043 |
unknown |
— |
— |
|
|
|
4y ago |
Fix failure to strip Authorization header on HTTP downgrade |
| CVE-2022-31042 |
unknown |
— |
— |
|
|
|
4y ago |
Fix failure to strip Authorization header on HTTP downgrade |
| CVE-2022-29248 |
unknown |
— |
— |
|
|
|
4y ago |
Cross-domain cookie leakage in Guzzle |
| CVE-2020-13665 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal Core Access bypass vulnerability |
| CVE-2020-13662 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal Core Open Redirect vulnerability |
| CVE-2017-6929 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal cross site scripting vulnerability |
| CVE-2017-6932 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal external link injection vulnerability |
| CVE-2017-6927 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal cross-site scripting vulnerability |
| CVE-2017-6926 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal Comment reply form allows access to restricted content |
| CVE-2017-6920 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal PECL YAML parser unsafe object handling |
| CVE-2018-9861 |
unknown |
— |
— |
|
|
|
4y ago |
Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS) |
| CVE-2017-6931 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal Settings Tray access bypass |
| CVE-2017-6928 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal access bypass vulnerability |
| CVE-2017-6930 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal access bypass vulnerability |
| CVE-2017-6925 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions |
| CVE-2017-6922 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal core access bypass vulnerability |
| CVE-2017-6921 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal file REST resource does not properly validate |
| CVE-2017-6924 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal REST API can bypass comment approval |
| CVE-2011-2714 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal Cross-Site Scripting vulnerability |
| CVE-2011-2715 |
unknown |
— |
— |
|
|
|
4y ago |
Drupal SQL Injection vulnerability |
| CVE-2022-25274 |
unknown |
— |
— |
|
|
|
4y ago |
Access bypass in Drupal core |
| CVE-2022-25273 |
unknown |
— |
— |
|
|
|
4y ago |
Improper input validation in Drupal core |
| CVE-2022-24775 |
unknown |
— |
— |
|
|
|
4y ago |
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values… |
| CVE-2022-24729 |
unknown |
— |
— |
|
|
|
4y ago |
The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/cked… |
| CVE-2022-24728 |
unknown |
— |
— |
|
|
|
4y ago |
The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/cked… |
| CVE-2022-25270 |
unknown |
— |
— |
|
|
|
4y ago |
Incorrect authorization in Drupal core |
| CVE-2022-25271 |
unknown |
— |
— |
|
|
|
4y ago |
Improper input validation in Drupal core |
| CVE-2020-13668 |
unknown |
— |
— |
|
|
|
4y ago |
Cross-site Scripting in Drupal Core |
| CVE-2020-13670 |
unknown |
— |
— |
|
|
|
6y ago |
Exposure of Resource to Wrong Sphere in Drupal Core |
| CVE-2020-13667 |
unknown |
— |
— |
|
|
|
6y ago |
Drupal Core Access bypass vulnerability |
| CVE-2020-13669 |
unknown |
— |
— |
|
|
|
6y ago |
Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor |
| CVE-2020-13688 |
unknown |
— |
— |
|
|
|
6y ago |
Drupal Core Cross-site scripting vulnerability |
