Drupal Core vulnerabilities
108 known vulnerabilities affecting drupal/core.
Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7
Vulnerabilities
Page 3 of 6
CVE-2022-25271P3HIGHCVSS 7.5≥ 9.3.x, < 9.3.6≥ 9.2.x, < 9.2.13+1 more2022-02-16
CVE-2022-25271 [HIGH] CWE-20 CVE-2022-25271: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
ghsanvdosv
CVE-2022-31042P3UNKNOWN≥ 8.0.0, < 9.2.21≥ 9.3.0, < 9.3.162022-06-10
CVE-2022-31042 CVE-2022-31042: *Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended`
*Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended`.*
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
* [Failure to strip the Cookie header on change in host or HTTP downgrade](https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25
osv
CVE-2023-5256P3HIGHCVSS 7.5≥ 10.1, ≤ 10.1.4≥ 10.0, ≤ 10.0.11+1 more2023-09-28
CVE-2023-5256 [HIGH] CWE-200 CVE-2023-5256: In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configuration
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core
ghsanvdosv
CVE-2022-25273P3HIGHCVSS 7.5≥ 9.3, < 9.3.12≥ 9.2, < 9.2.182023-04-26
CVE-2022-25273 [HIGH] CWE-20 CVE-2022-25273: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
ghsanvdosv
CVE-2017-6930P3HIGH≥ 8.4.0, < 8.4.52022-05-13
CVE-2017-6930 [HIGH] CWE-284 Drupal access bypass vulnerability
Drupal access bypass vulnerability
In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only appl
ghsaosv
CVE-2016-3165P3HIGH≥ 6.0, < 6.382022-05-17
CVE-2016-3165 [HIGH] CWE-284 Drupal Form API ignores access restrictions on submit buttons
Drupal Form API ignores access restrictions on submit buttons
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
ghsaosv
CVE-2011-2687P3HIGH≥ 7.0, < 7.32022-05-17
CVE-2011-2687 [HIGH] CWE-284 Drupal Access Control Bypass
Drupal Access Control Bypass
Drupal 7.x before 7.3 allows remote attackers to bypass intended `node_access` restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
ghsaosv
CVE-2022-24775P3UNKNOWN≥ 8.0.0, < 9.2.16≥ 9.3.0, < 9.3.92022-03-21
CVE-2022-24775 CVE-2022-24775: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96) which may affect some Drupal sites.
We are issuing this security advisory outside our regular [Drupal security release window schedule](https://w
osv
CVE-2017-6919P3HIGH≥ 8.0, < 8.2.8≥ 8.3.0, < 8.3.12022-05-13
CVE-2017-6919 [HIGH] CWE-284 Drupal access control bypass vulnerability
Drupal access control bypass vulnerability
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
ghsaosv
CVE-2019-6338P3HIGHCVSS 8.8≥ 8.0.0, < 8.5.9≥ 8.6.0, < 8.6.62019-01-16
CVE-2019-6338 [HIGH] CVE-2019-6338: Drupal core uses the third-party PEAR Archive\_Tar library
Drupal core uses the third-party PEAR Archive\_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to [CVE-2018-1000888](https://nvd.nist.gov/vuln/detail/CVE-2018-1000888) for details.
osv
CVE-2022-29248P3UNKNOWN≥ 8.0.0, < 9.2.20≥ 9.3.0, < 9.3.142022-05-25
CVE-2022-29248 CVE-2022-29248: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3) which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
We are issuing this security adviso
osv
CVE-2017-6377P3HIGH≥ 8.2.0, < 8.2.72022-05-13
CVE-2017-6377 [HIGH] CWE-863 Drupal editor module incorrectly checks access to inline private files
Drupal editor module incorrectly checks access to inline private files
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
ghsaosv
CVE-2024-11941P3HIGH≥ 10.1.0, < 10.1.8≥ 10.2.0, < 10.2.22024-12-05
CVE-2024-11941 [HIGH] CWE-835 Drupal core Denial of Service
Drupal core Denial of Service
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
ghsaosv
CVE-2022-25278P3MEDIUMCVSS 6.5≥ 9.4, < 9.4.3≥ 9.3, < 9.3.192023-04-26
CVE-2022-25278 [MEDIUM] CVE-2022-25278: Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. Thi
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
ghsanvdosv
CVE-2016-9450P3HIGH≥ 8.0, < 8.2.32022-05-17
CVE-2016-9450 [HIGH] CWE-345 Drupal Incorrect cache context on password reset page
Drupal Incorrect cache context on password reset page
The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.
ghsaosv
CVE-2026-6366P3MEDIUM≥ 8.0.0, < 10.5.9≥ 10.6.0, < 10.6.7+2 more2026-05-20
CVE-2026-6366 [MEDIUM] CWE-915 Drupal core allows Object Injection
Drupal core allows Object Injection
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
ghsa
CVE-2022-25270P3MEDIUMCVSS 6.5≥ 9.3.x, < 9.3.6≥ 9.2.x, < 9.2.132022-02-17
CVE-2022-25270 [MEDIUM] CWE-863 CVE-2022-25270: The Quick Edit module does not properly check entity access in some circumstances. This could result
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
ghsanvdosv
CVE-2023-31250P3MEDIUMCVSS 6.5≥ 7.0, < 7.96≥ 10.0, < 10.0.8+2 more2023-04-26
CVE-2023-31250 [MEDIUM] CWE-863 CVE-2023-31250: The file download facility doesn't sufficiently sanitize file paths in certain situations. This may
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private fil
ghsanvdosv
CVE-2020-13663P3HIGH≥ 8.9.0, < 8.9.1≥ 9.0.0, < 9.0.1+2 more2022-05-24
CVE-2020-13663 [HIGH] CWE-352 Drupal Core Cross-Site Request Forgery (CSRF) vulnerability
Drupal Core Cross-Site Request Forgery (CSRF) vulnerability
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
ghsaosv
CVE-2020-13676P4MEDIUMCVSS 6.5≥ 9.2, < 9.2.6≥ 9.1, < 9.1.13+1 more2022-02-11
CVE-2020-13676 [MEDIUM] CWE-284 CVE-2020-13676: The QuickEdit module does not properly check access to fields in some circumstances, which can lead
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
ghsanvdosv