cbcvebase.

Drupal Core vulnerabilities

108 known vulnerabilities affecting drupal/core.

Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7

Vulnerabilities

Page 4 of 6
CVE-2017-6923P3MEDIUM≥ 8.0, < 8.3.72019-10-10
CVE-2017-6923 [MEDIUM] CWE-862 Missing Authorization in Drupal Missing Authorization in Drupal In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are
ghsaosv
CVE-2025-13081P3MEDIUM≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+2 more2025-11-18
CVE-2025-13081 [MEDIUM] CWE-502 Drupal core allows Object Injection Drupal core allows Object Injection Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
ghsaosv
CVE-2016-3163P3HIGH≥ 7.0, < 7.43≥ 6.0, < 6.382022-05-17
CVE-2016-3163 [HIGH] Drupal Brute force amplification attacks via XML-RPC Drupal Brute force amplification attacks via XML-RPC The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
ghsaosv
CVE-2017-6921P4MEDIUM≥ 8.0, < 8.3.42022-05-13
CVE-2017-6921 [MEDIUM] CWE-20 Drupal file REST resource does not properly validate Drupal file REST resource does not properly validate In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload f
ghsaosv
CVE-2019-6341P4MEDIUM≥ 7.0.0, < 7.65.0≥ 8.0.0, < 8.5.14+1 more2022-05-24
CVE-2019-6341 [MEDIUM] CWE-79 Drupal Cross Site Scripting (XSS) vulnerability Drupal Cross Site Scripting (XSS) vulnerability In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
ghsaosv
CVE-2017-6931P4MEDIUM≥ 8.4.0, < 8.4.52022-05-13
CVE-2017-6931 [MEDIUM] CWE-434 Drupal Settings Tray access bypass Drupal Settings Tray access bypass In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasse
ghsaosv
CVE-2024-11942P3MEDIUM≥ 10.0.0, < 10.2.102024-12-05
CVE-2024-11942 [MEDIUM] CWE-390 Drupal core vulnerable to improper error handling Drupal core vulnerable to improper error handling Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
ghsaosv
CVE-2020-13674P4MEDIUMCVSS 6.5≥ 9.2, < 9.2.6≥ 9.1, < 9.1.13+1 more2022-02-11
CVE-2020-13674 [MEDIUM] CWE-352 CVE-2020-13674: The QuickEdit module does not properly validate access to routes, which could allow cross-site reque The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted user
ghsanvdosv
CVE-2016-3168P4MEDIUM≥ 6.0, < 6.38≥ 7.0, < 7.432022-05-17
CVE-2016-3168 [MEDIUM] Drupal Reflected file download vulnerability Drupal Reflected file download vulnerability The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
ghsaosv
CVE-2022-25274P4MEDIUMCVSS 5.4≥ 9.3, < 9.3.122023-04-26
CVE-2022-25274 [MEDIUM] CWE-863 CVE-2022-25274: Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not c Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only
ghsanvdosv
CVE-2020-13668P4MEDIUMCVSS 6.1≥ 8.8.x, < 8.8.10≥ 8.9.x, < 8.9.6+1 more2022-02-11
CVE-2020-13668 [MEDIUM] CWE-79 CVE-2020-13668: Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is r Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
ghsanvdosv
CVE-2020-13666P4MEDIUM≥ 8.8.0, < 8.8.10≥ 8.9.0, < 8.9.6+2 more2022-05-24
CVE-2020-13666 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability Drupal Core Cross-site scripting vulnerability Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
ghsaosv
CVE-2016-3166P4MEDIUM≥ 6.0, < 6.382022-05-17
CVE-2016-3166 [MEDIUM] CWE-113 Drupal CRLF injection vulnerability in the drupal_set_header function Drupal CRLF injection vulnerability in the drupal_set_header function CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.
ghsaosv
CVE-2017-6379P4HIGH≥ 8.2.0, < 8.2.72022-05-17
CVE-2017-6379 [HIGH] CWE-352 Drupal Cross-Site Request Forgery (CSRF) Drupal Cross-Site Request Forgery (CSRF) Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
ghsaosv
CVE-2025-13080P4LOW≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+2 more2025-11-18
CVE-2025-13080 [LOW] CWE-754 Drupal core allows Forceful Browsing Drupal core allows Forceful Browsing Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
ghsaosv
CVE-2020-13669P4MEDIUMCVSS 6.1≥ 8.8.x, < 8.8.10≥ 8.9.x, < 8.9.6+1 more2022-02-11
CVE-2020-13669 [MEDIUM] CWE-79 CVE-2020-13669: Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. T Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
ghsanvdosv
CVE-2021-41165P4MEDIUMCVSS 5.4≥ 8.0.0, < 8.9.20≥ 9.1.0, < 9.1.14+1 more2021-11-17
[MEDIUM] The Drupal project uses the [CKEditor](https://github The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/cke4/release/CKEditor-4.17.0), along with a [hotfix for that update](https://ckeditor.com/cke4/release/CKEditor-4.17.1). Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker th
osv
CVE-2016-3164P4HIGH≥ 8.0, < 8.0.4≥ 7.0, < 7.43+1 more2022-05-17
CVE-2016-3164 [HIGH] Drupal Open Redirect Drupal Open Redirect Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
ghsaosv
CVE-2017-6928P4MEDIUM≥ 7.0, < 7.572022-05-13
CVE-2017-6928 [MEDIUM] CWE-732 Drupal access bypass vulnerability Drupal access bypass vulnerability Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by
ghsaosv
CVE-2020-13667P4MEDIUM≥ 8.8.0, < 8.8.10≥ 8.9.0, < 8.9.6+1 more2022-05-24
CVE-2020-13667 [MEDIUM] CWE-276 Drupal Core Access bypass vulnerability Drupal Core Access bypass vulnerability Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated
ghsaosv
Drupal Core vulnerabilities | cvebase