cbcvebase.

Drupal Core vulnerabilities

108 known vulnerabilities affecting drupal/core.

Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7

Vulnerabilities

Page 2 of 6
CVE-2020-13665P3CRITICAL≥ 8.8.0, < 8.8.8≥ 8.9.0, < 8.9.1+1 more2022-05-24
CVE-2020-13665 [CRITICAL] CWE-863 Drupal Core Access bypass vulnerability Drupal Core Access bypass vulnerability Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
ghsaosv
CVE-2017-6925P3CRITICAL≥ 8.0, < 8.3.72022-05-13
CVE-2017-6925 [CRITICAL] CWE-269 Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access r
ghsaosv
CVE-2021-41184P3MEDIUMCVSS 6.1≥ 8.0.0, < 9.2.11≥ 9.3.0, < 9.3.32022-01-19
CVE-2021-41184 [MEDIUM] CVE-2021-41184: jQuery UI is a third-party library used by Drupal jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a [jQuery UI 1.13.0](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7: * CVE-2021-41
osv
CVE-2020-13664P3HIGH≥ 8.8.0, < 8.8.8≥ 8.9.0, < 8.9.1+1 more2022-05-24
CVE-2020-13664 [HIGH] CWE-77 Drupal Core Arbitrary PHP code execution vulnerability Drupal Core Arbitrary PHP code execution vulnerability Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows serve
ghsaosv
CVE-2019-6342P3CRITICAL≥ 8.7.4, < 8.7.52024-01-11
CVE-2019-6342 [CRITICAL] Drupal Improper Access Control Drupal Improper Access Control An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
osv
CVE-2019-11831P3CRITICAL≥ 7.0.0, < 7.67.0≥ 8.0.0, < 8.6.16+1 more2021-09-30
CVE-2019-11831 [CRITICAL] CWE-22 Directory Traversal in typo3/phar-stream-wrapper Directory Traversal in typo3/phar-stream-wrapper The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
ghsaosv
CVE-2016-6211P3HIGH≥ 7.0, < 7.442022-05-17
CVE-2016-6211 [HIGH] CWE-269 Drupal Saving user accounts can sometimes grant the user all roles Drupal Saving user accounts can sometimes grant the user all roles The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.
ghsaosv
CVE-2024-55634P3MEDIUM≥ 8.0.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55634 [MEDIUM] CWE-178 Drupal core Access bypass Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
ghsaosv
CVE-2016-3171P3HIGH≥ 6.0, < 6.382022-05-17
CVE-2016-3171 [HIGH] CWE-94 Drupal arbitrary code execution Drupal arbitrary code execution Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
ghsaosv
CVE-2020-13677P3HIGHCVSS 7.5≥ 9.2.x, < 9.2.6≥ 9.1.x, < 9.1.13+1 more2022-02-11
CVE-2020-13677 [HIGH] CWE-284 CVE-2020-13677: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certa Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.
ghsanvdosv
CVE-2017-6381P3HIGH≥ 8.0, < 8.2.72022-05-13
CVE-2017-6381 [HIGH] CWE-829 Drupal Remote code execution Drupal Remote code execution A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the
ghsaosv
CVE-2016-3169P3HIGH≥ 6.0, < 6.38≥ 7.0, < 7.432022-05-17
CVE-2016-3169 [HIGH] CWE-269 Drupal saving user accounts can sometimes grant the user all roles Drupal saving user accounts can sometimes grant the user all roles The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
ghsaosv
CVE-2022-25277P3HIGHCVSS 7.2≥ 9.4, < 9.4.3≥ 9.3, < 9.3.192023-04-26
CVE-2022-25277 [HIGH] CWE-434 CVE-2022-25277: Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site
ghsanvdosv
CVE-2025-31674P3MEDIUM≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-04-01
CVE-2025-31674 [MEDIUM] CWE-913 Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from
ghsaosv
CVE-2017-6926P3HIGHCVSS 6.1≥ 8.4.0, < 8.4.5≥ 7.0, < 7.572022-05-14
CVE-2017-6926 [HIGH] CWE-200 Drupal Comment reply form allows access to restricted content Drupal Comment reply form allows access to restricted content In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.
ghsaosv
CVE-2017-6924P3HIGH≥ 8.0, < 8.3.72022-05-13
CVE-2017-6924 [HIGH] CWE-269 Drupal REST API can bypass comment approval Drupal REST API can bypass comment approval In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account
ghsaosv
CVE-2020-13670P3HIGHCVSS 7.5≥ 8.8.x, < 8.8.10≥ 8.9.x, < 8.9.6+1 more2022-02-11
CVE-2020-13670 [HIGH] CWE-668 CVE-2020-13670: Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
ghsanvdosv
CVE-2016-3162P3HIGH≥ 7.0, < 7.43≥ 8.0, < 8.0.42022-05-17
CVE-2016-3162 [HIGH] CWE-284 Drupal File upload access bypass and denial of service Drupal File upload access bypass and denial of service The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
ghsaosv
CVE-2022-39261P3UNKNOWN≥ 8.0.0, < 9.3.22≥ 9.4.0, < 9.4.72022-09-28
CVE-2022-39261 CVE-2022-39261: Drupal uses the [Twig](https://twig Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization. [Twig has released a security update](https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader) that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core's code extending Twig has also been updated to mitigate
osv
CVE-2022-25275P3HIGHCVSS 7.5≥ 9.4, < 9.4.3≥ 9.3, < 9.3.19+1 more2023-04-26
CVE-2022-25275 [HIGH] CVE-2022-25275: In some situations, the Image module does not correctly check access to image files not stored in th In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or sc
ghsanvdosv
Drupal Core vulnerabilities | cvebase