cbcvebase.

Drupal Core vulnerabilities

108 known vulnerabilities affecting drupal/core.

Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7

Vulnerabilities

Page 1 of 6
CVE-2018-7602P1CRITICALCVSS 9.8KEVPoCRansomware≥ unspecified, < 7.59≥ unspecified, < 8.5.3+1 more2018-07-19
CVE-2018-7602 [CRITICAL] CWE-94 CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2
ghsanvdosv
CVE-2018-7600P1CRITICALKEVPoCRansomware≥ 7.0, < 7.58≥ 8.0, < 8.3.9+2 more2022-05-14
CVE-2018-7600 [CRITICAL] CWE-20 Drupal Core Remote Code Execution Vulnerability Drupal Core Remote Code Execution Vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
ghsaosv
CVE-2026-9082P1CRITICALKEVPoC≥ 8.9.0, < 10.4.10≥ 10.5.0, < 10.5.10+4 more2026-05-20
CVE-2026-9082 [CRITICAL] CWE-89 Drupal Core has a SQL Injection issue Drupal Core has a SQL Injection issue Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
ghsa
CVE-2019-6340P1HIGHKEVPoC≥ 8.6.0, < 8.6.10≥ 7.0.0, < 7.62.0+1 more2022-05-13
CVE-2019-6340 [HIGH] CWE-502 Drupal Core Remote Code Execution Vulnerability Drupal Core Remote Code Execution Vulnerability Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests
ghsaosv
CVE-2020-36193P1HIGHCVSS 7.5KEVRansomware≥ 8.0.0, < 8.9.13≥ 9.0.0, < 9.0.11+1 more2021-01-20
CVE-2020-36193 [HIGH] CVE-2020-36193: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal. For more information please see: * [CVE-2020-36193](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193) Exploits may be possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processe
osv
CVE-2020-13671P1HIGHKEVRansomware≥ 9.0.0, < 9.0.8≥ 8.9.0, < 8.9.9+2 more2021-10-12
CVE-2020-13671 [HIGH] CWE-434 Drupal core Unrestricted Upload of File with Dangerous Type Drupal core Unrestricted Upload of File with Dangerous Type Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior
ghsaosv
CVE-2020-11022P1MEDIUMCVSS 6.1ExploitedPoC≥ 8.0.0, < 8.7.14≥ 8.8.0, < 8.8.62020-05-20
CVE-2020-11022 [MEDIUM] CVE-2020-11022: The jQuery project released version 3 The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the [jQuery blog](https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/), both are > [...] security issues in jQuery’s DOM manipulation methods, as in `.html()`, `.append()`, and the others. Security advisories for both of these issues have been
osv
CVE-2019-11358P2UNKNOWNExploitedPoC≥ 8.0.0, < 8.5.15≥ 8.6.0, < 8.6.152019-04-17
CVE-2019-11358 CVE-2019-11358: The jQuery project released version 3 The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their [release notes](https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/): > jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable \_\_proto\_\_ property, it could extend the
osv
CVE-2017-6922P2MEDIUMExploited≥ 7.0, < 7.56≥ 8.0, < 8.3.42022-05-13
CVE-2017-6922 [MEDIUM] CWE-552 Drupal core access bypass vulnerability Drupal core access bypass vulnerability In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This
ghsaosv
CVE-2019-6339P2CRITICAL≥ 7.0.0, < 7.62.0≥ 8.0.0, < 8.5.9+1 more2022-01-06
CVE-2019-6339 [CRITICAL] CWE-20 Arbitrary PHP code execution in Drupal Arbitrary PHP code execution in Drupal In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6, and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulne
ghsaosv
CVE-2016-5385P2HIGH≥ 8.0, < 8.1.72022-04-07
CVE-2016-5385 [HIGH] HTTP Proxy header vulnerability HTTP Proxy header vulnerability PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an applicati
osv
CVE-2017-6920P2CRITICAL≥ 8.0, < 8.3.42022-05-14
CVE-2017-6920 [CRITICAL] CWE-94 Drupal PECL YAML parser unsafe object handling Drupal PECL YAML parser unsafe object handling Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
ghsaosv
CVE-2020-28948P3HIGHCVSS 7.8≥ 7.0.0, < 7.75≥ 8.0.0, < 8.8.12+2 more2024-05-15
CVE-2020-28948 [HIGH] CWE-94 Drupal core Arbitrary PHP code execution Drupal core Arbitrary PHP code execution The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them. To mitigate this issue, prevent untrusted users from up
ghsaosv
CVE-2024-45440P3MEDIUMPoC≥ 10.3.0, < 10.3.6≥ 11.0.0, < 11.0.5+1 more2024-08-29
CVE-2024-45440 [MEDIUM] CWE-209 Drupal Full Path Disclosure Drupal Full Path Disclosure `core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.
ghsaosv
CVE-2021-32610P3UNKNOWN≥ 8.0.0, < 8.9.17≥ 9.1.0, < 9.1.11+1 more2021-07-21
CVE-2021-32610 CVE-2021-32610: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the Archive\_Tar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or custom code uses the library to extract tar archives (
osv
CVE-2024-55638P2HIGH≥ 8.8.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55638 [HIGH] CWE-502 Drupal core contains a potential PHP Object Injection vulnerability Drupal core contains a potential PHP Object Injection vulnerability Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe in
ghsaosv
CVE-2021-33829P3MEDIUMCVSS 6.1PoC≥ 7.0.0, < 7.80≥ 8.0.0, < 8.9.16+2 more2021-06-21
CVE-2021-33829 [MEDIUM] CWE-79 ckeditor4 vulnerable to cross-site scripting ckeditor4 vulnerable to cross-site scripting A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because `--!>` is mishandled.
ghsaosv
CVE-2024-55636P2LOW≥ 8.8.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55636 [LOW] CWE-502 Drupal core contains a potential PHP Object Injection vulnerability Drupal core contains a potential PHP Object Injection vulnerability Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe inpu
ghsaosv
CVE-2024-55637P2HIGH≥ 8.8.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55637 [HIGH] CWE-502 Drupal core contains a potential PHP Object Injection vulnerability Drupal core contains a potential PHP Object Injection vulnerability Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe in
ghsaosv
CVE-2020-13675P3CRITICALCVSS 9.8≥ 9.2.x, < 9.2.6≥ 9.1.x, < 9.1.13+1 more2022-02-11
CVE-2020-13675 [CRITICAL] CWE-284 CVE-2020-13675: Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do n Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
ghsanvdosv
Drupal Core vulnerabilities | cvebase