Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
754 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2005-3974 | 1 Drupal | 1 Drupal | 2026-04-16 | N/A |
| Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission. | ||||
| CVE-2006-2832 | 1 Drupal | 1 Drupal | 2026-04-16 | N/A |
| Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename. | ||||
| CVE-2006-3570 | 1 Drupal | 1 Drupal | 2026-04-16 | N/A |
| Cross-site scripting (XSS) vulnerability in the webform module in Drupal 4.6 before July 8, 2006 and 4.7 before July 8, 2006 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2020-11022 | 9 Debian, Drupal, Fedoraproject and 6 more | 88 Debian Linux, Drupal, Fedora and 85 more | 2026-04-13 | 6.9 Medium |
| In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
| CVE-2025-31675 | 1 Drupal | 1 Drupal | 2026-04-02 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12. | ||||
| CVE-2025-9551 | 2 Drupal, Protected Pages Project | 2 Drupal, Protected Pages | 2026-03-26 | 6.5 Medium |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0, from 7.X-1.0 before 7.X-2.5. | ||||
| CVE-2025-12848 | 2 Drupal, Webform Multiple File Upload Project | 3 Drupal, Webform Module, Webform Multiple File Upload | 2026-03-26 | 6.1 Medium |
| Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | ||||
| CVE-2025-6675 | 2 Drupal, Miniorange | 2 Drupal, Miniorange 2fa | 2026-02-26 | 4.8 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*. | ||||
| CVE-2025-8995 | 2 Authenticator Login Project, Drupal | 2 Authenticator Login, Drupal | 2026-02-26 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4. | ||||
| CVE-2025-13081 | 1 Drupal | 2 Drupal, Drupal Core | 2026-02-26 | 5.9 Medium |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | ||||
| CVE-2025-13083 | 1 Drupal | 2 Drupal, Drupal Core | 2026-01-16 | 3.7 Low |
| Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103. | ||||
| CVE-2025-9552 | 2 Drupal, Synchronize Composer.json With Contrib Modules Project | 2 Drupal, Synchronize Composer.json With Contrib Modules | 2026-01-05 | 5.3 Medium |
| Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*. | ||||
| CVE-2025-9550 | 2 Drupal, Facets Project | 2 Drupal, Facets | 2026-01-05 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1. | ||||
| CVE-2025-9549 | 2 Drupal, Facets Project | 2 Drupal, Facets | 2026-01-05 | 6.5 Medium |
| Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1. | ||||
| CVE-2025-8093 | 2 Authenticator Login Project, Drupal | 2 Authenticator Login, Drupal | 2026-01-05 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8. | ||||
| CVE-2018-7602 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-12-17 | 9.8 Critical |
| A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. | ||||
| CVE-2025-10930 | 2 2bits, Drupal | 3 Currency, Currency, Drupal | 2025-12-12 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0. | ||||
| CVE-2025-10926 | 2 Drupal, Json Field Project | 3 Drupal, Json Field, Json Field | 2025-12-12 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5. | ||||
| CVE-2025-10927 | 2 Drupal, Plausible Tracking Project | 3 Drupal, Plausible Tracking, Plausible Tracking | 2025-12-12 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2. | ||||
| CVE-2025-10928 | 2 Access Code Project, Drupal | 3 Access Code, Access Code, Drupal | 2025-12-12 | 6.3 Medium |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5. | ||||