| CVE-2026-9082 |
critical |
9.8 |
10.0 |
|
|
|
15d ago |
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. |
| CVE-2018-7602 |
critical |
— |
10.0 |
|
|
|
8y ago |
A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site. |
| CVE-2018-7600 |
critical |
— |
10.0 |
|
|
|
8y ago |
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. |
| CVE-2020-13672 |
critical |
— |
9.5 |
|
|
|
5y ago |
Drupal core Cross-site Scripting (XSS) vulnerability |
| CVE-2016-6211 |
high |
8.8 |
8.8 |
|
|
|
10y ago |
Drupal Saving user accounts can sometimes grant the user all roles |
| CVE-2017-6381 |
high |
8.1 |
8.1 |
|
|
|
9y ago |
Drupal Remote code execution |
| CVE-2016-5385 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
HTTP Proxy header vulnerability |
| CVE-2016-3171 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Drupal arbitrary code execution |
| CVE-2016-3169 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Drupal saving user accounts can sometimes grant the user all roles |
| CVE-2016-3162 |
high |
8.1 |
8.1 |
|
|
|
10y ago |
Drupal File upload access bypass and denial of service |
| CVE-2020-13675 |
high |
— |
8.0 |
|
|
|
5y ago |
Unrestricted Upload of File with Dangerous Type in Drupal core |
| CVE-2020-13673 |
high |
— |
8.0 |
|
|
|
5y ago |
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it i… |
| CVE-2020-13677 |
high |
— |
8.0 |
|
|
|
5y ago |
Drupal core access bypass vulnerability |
| CVE-2020-13676 |
high |
— |
8.0 |
|
|
|
5y ago |
Incorrect Authorization in Drupal core |
| CVE-2020-13674 |
high |
— |
8.0 |
|
|
|
5y ago |
Cross-Site Request Forgery in Drupal core |
| CVE-2021-33829 |
high |
— |
8.0 |
|
|
|
5y ago |
ckeditor4 vulnerable to cross-site scripting |
| CVE-2017-6919 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Drupal access control bypass vulnerability |
| CVE-2017-6379 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Drupal Cross-Site Request Forgery (CSRF) |
| CVE-2017-6377 |
high |
7.5 |
7.5 |
|
|
|
9y ago |
Drupal editor module incorrectly checks access to inline private files |
| CVE-2016-9450 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Drupal Incorrect cache context on password reset page |
| CVE-2016-3165 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Drupal Form API ignores access restrictions on submit buttons |
| CVE-2016-3163 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
Drupal Brute force amplification attacks via XML-RPC |
| CVE-2011-2687 |
high |
— |
7.5 |
|
|
|
15y ago |
Drupal Access Control Bypass |
| CVE-2016-3167 |
high |
7.4 |
7.4 |
|
|
|
10y ago |
Drupal Open redirect vulnerability in the drupal_goto function |
| CVE-2016-3164 |
high |
7.4 |
7.4 |
|
|
|
10y ago |
Drupal Open Redirect |
| CVE-2019-6340 |
unknown |
— |
2.5 |
|
|
|
7y ago |
In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. |
| CVE-2020-13671 |
unknown |
— |
1.5 |
|
|
|
6y ago |
Improper sanitization in the extension file names is present in Drupal core. |
| CVE-2022-39261 |
unknown |
— |
— |
|
|
|
4y ago |
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… |
| CVE-2022-31042 |
unknown |
— |
— |
|
|
|
4y ago |
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with… |
| CVE-2022-31043 |
unknown |
— |
— |
|
|
|
4y ago |
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds w… |
| CVE-2022-29248 |
unknown |
— |
— |
|
|
|
4y ago |
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the … |
| CVE-2022-24775 |
unknown |
— |
— |
|
|
|
4y ago |
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values… |
| CVE-2019-10909 |
unknown |
— |
— |
|
|
|
7y ago |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… |
