| CVE-2026-9082 |
critical |
9.8 |
10.0 |
|
|
|
15d ago |
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. |
| CVE-2018-7602 |
critical |
— |
10.0 |
|
|
|
8y ago |
A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site. |
| CVE-2018-7600 |
critical |
— |
10.0 |
|
|
|
8y ago |
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. |
| CVE-2020-13672 |
critical |
— |
9.5 |
|
|
|
5y ago |
Drupal core Cross-site Scripting (XSS) vulnerability |
| CVE-2020-28949 |
medium |
— |
8.0 |
|
|
|
6y ago |
PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and di… |
| CVE-2016-9451 |
medium |
6.8 |
6.8 |
|
|
|
10y ago |
Drupal Open Redirect |
| CVE-2026-6366 |
medium |
6.6 |
6.6 |
|
|
|
16d ago |
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a … |
| CVE-2016-9452 |
medium |
6.5 |
6.5 |
|
|
|
10y ago |
Drupal Denial of service via transliterate mechanism |
| CVE-2016-3168 |
medium |
6.4 |
6.4 |
|
|
|
10y ago |
Drupal Reflected file download vulnerability |
| CVE-2026-6367 |
medium |
6.1 |
6.1 |
|
|
|
16d ago |
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross s… |
| CVE-2026-6365 |
medium |
6.1 |
6.1 |
|
|
|
16d ago |
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability. |
| CVE-2016-7571 |
medium |
6.1 |
6.1 |
|
|
|
10y ago |
Drupal Cross-site scripting (XSS) vulnerability |
| CVE-2016-3166 |
medium |
5.9 |
5.9 |
|
|
|
10y ago |
Drupal CRLF injection vulnerability in the drupal_set_header function |
| CVE-2021-32610 |
medium |
— |
5.5 |
|
|
|
5y ago |
RHSA-2022:7628: php:7.4 security, bug fix, and enhancement update (Moderate) |
| CVE-2020-28948 |
medium |
— |
5.5 |
|
|
|
6y ago |
RHSA-2022:6542: php:7.4 security update (Moderate) |
| CVE-2016-6212 |
medium |
5.3 |
5.3 |
|
|
|
10y ago |
Drupal Views can allow unauthorized users to see Statistics information |
| CVE-2016-3170 |
medium |
5.3 |
5.3 |
|
|
|
10y ago |
Drupal sensitive information disclosure |
| CVE-2016-9449 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
Drupal sensitive information disclosure |
| CVE-2016-7572 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
Drupal Unprivileged access to config export |
| CVE-2016-7570 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
Drupal Users without "Administer comments" can set comment visibility on nodes they can edit |
| CVE-2019-11358 |
low |
— |
3.5 |
|
|
|
7y ago |
RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) |
