Filtered by vendor Drupal
Subscriptions
Total
992 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13231 | 1 Drupal | 1 Advanced Content Feedback (aka Admin Feedback) | 2026-07-13 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Stored XSS. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0. | ||||
| CVE-2026-13234 | 1 Drupal | 1 Artificial Intelligence | 2026-07-13 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3. | ||||
| CVE-2026-58587 | 1 Drupal | 1 Drupal Canvas | 2026-07-13 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1. | ||||
| CVE-2026-13242 | 1 Drupal | 1 Geolocation Field | 2026-07-13 | 6.5 Medium |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0. | ||||
| CVE-2026-9726 | 1 Drupal | 1 Drupal Alternativecommerce (basket) | 2026-07-13 | N/A |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17. | ||||
| CVE-2026-10768 | 1 Drupal | 1 Localgov Workflows | 2026-07-13 | N/A |
| Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. This issue affects LocalGov Workflows versions: from 0.0.0 to 1.6.0. | ||||
| CVE-2026-4929 | 2 Drupal, Simple Hierarchical Select Project | 2 Simple Hierarchical Select (shs), Simple Hierarchical Select | 2026-06-01 | 5.4 Medium |
| Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10. | ||||
| CVE-2026-4093 | 2 Drupal, Taxonomy Term Reference Tree Widget Project | 2 Term Reference Tree, Taxonomy Term Reference Tree Widget | 2026-06-01 | 5.4 Medium |
| In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11. | ||||
| CVE-2026-5343 | 2 Drupal, Miniorange | 2 Saml Sso - Service Provider, Saml Sso - Service Provider | 2026-06-01 | 7.4 High |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4. | ||||
| CVE-2026-6816 | 2 Drupal, Tfa Basic Plugins Project | 2 Tfa Basic Plugins, Tfa Basic Plugins | 2026-06-01 | 3.8 Low |
| An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2. | ||||
| CVE-2026-8492 | 2 Drupal, Gtranslate | 2 Translate Drupal With Gtranslate, Gtranslate | 2026-05-27 | 2.7 Low |
| Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5. | ||||
| CVE-2026-8495 | 2 Date Ical Project, Drupal | 2 Date Ical, Date Ical | 2026-05-27 | 9.8 Critical |
| Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15. | ||||
| CVE-2026-8493 | 2 Colorbox Inline Project, Drupal | 2 Colorbox Inline, Colorbox Inline | 2026-05-27 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1. | ||||
| CVE-2026-8491 | 2 Adcisolutions, Drupal | 2 Node View Permissions, Node View Permissions | 2026-05-27 | 3.7 Low |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1. | ||||
| CVE-2026-9082 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-23 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | ||||
| CVE-2026-6871 | 2 Drupal, Obfuscate Project | 2 Obfuscate, Obfuscate | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2. | ||||
| CVE-2026-6095 | 2 Drupal, Gaya | 2 Orejime, Orejime | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16. | ||||
| CVE-2026-6365 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-20 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | ||||
| CVE-2026-6366 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-20 | 6.6 Medium |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | ||||
| CVE-2026-6367 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-20 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7. | ||||