cbcvebase.

Drupal Core vulnerabilities

108 known vulnerabilities affecting drupal/core.

Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7

Vulnerabilities

Page 5 of 6
CVE-2022-24728P4MEDIUMCVSS 5.4≥ 8.0.0, < 9.2.15≥ 9.3.0, < 9.3.82022-03-16
CVE-2022-24728 [MEDIUM] CVE-2022-24728: The Drupal project uses the [CKEditor](https://github The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/). Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content
osv
CVE-2016-3170P4MEDIUM≥ 7.0, < 7.43≥ 8.0, < 8.0.42022-05-17
CVE-2016-3170 [MEDIUM] CWE-200 Drupal sensitive information disclosure Drupal sensitive information disclosure The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
ghsaosv
CVE-2020-13672P4MEDIUMCVSS 6.1≥ 9.1.x, < 9.1.7≥ 9.0.x, < 9.0.12+2 more2022-02-11
CVE-2020-13672 [MEDIUM] CWE-79 CVE-2020-13672: Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
ghsanvdosv
CVE-2018-9861P4MEDIUM≥ 8.5.0, < 8.5.2≥ 8.0, < 8.4.72022-05-14
CVE-2018-9861 [MEDIUM] CWE-79 Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS) Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS) The Enhanced Image (aka [image2](https://github.com/ckeditor/ckeditor4/tree/master/plugins/image2)) plugin for CKEditor in versions 4.5.10 through 4.9.1; fixed in 4.9.2, and as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, is vulnerable to cross-site scripting because it allows remot
ghsaosv
CVE-2016-3167P4HIGH≥ 6.0, < 6.382022-05-17
CVE-2016-3167 [HIGH] CWE-601 Drupal Open redirect vulnerability in the drupal_goto function Drupal Open redirect vulnerability in the drupal_goto function Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
ghsaosv
CVE-2020-13688P4MEDIUM≥ 8.8.0, < 8.8.10≥ 8.9.0, < 8.9.6+1 more2022-05-24
CVE-2020-13688 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability Drupal Core Cross-site scripting vulnerability Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
ghsaosv
CVE-2022-25276P4MEDIUMCVSS 6.1≥ 9.4, < 9.4.3≥ 9.3, < 9.3.192023-04-26
CVE-2022-25276 [MEDIUM] CWE-79 CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows emb The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
ghsanvdosv
CVE-2019-10909P4MEDIUMCVSS 5.4≥ 8.0.0, < 8.5.15≥ 8.6.0, < 8.6.152019-11-12
CVE-2019-10909 [MEDIUM] CWE-79 Symfony Cross-site Scripting (XSS) vulnerability Symfony Cross-site Scripting (XSS) vulnerability In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
ghsaosv
CVE-2016-6212P4MEDIUM≥ 8.0, < 8.1.32022-05-17
CVE-2016-6212 [MEDIUM] CWE-200 Drupal Views can allow unauthorized users to see Statistics information Drupal Views can allow unauthorized users to see Statistics information The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.
ghsaosv
CVE-2016-9452P4MEDIUM≥ 8.0, < 8.2.32022-05-17
CVE-2016-9452 [MEDIUM] CWE-20 Drupal Denial of service via transliterate mechanism Drupal Denial of service via transliterate mechanism The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.
ghsaosv
CVE-2016-7570P4MEDIUM≥ 8.0.0, < 8.1.102022-05-17
CVE-2016-7570 [MEDIUM] CWE-269 Drupal Users without "Administer comments" can set comment visibility on nodes they can edit Drupal Users without "Administer comments" can set comment visibility on nodes they can edit Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
ghsaosv
CVE-2020-13662P4MEDIUM≥ 7.0.0, < 7.702022-05-24
CVE-2020-13662 [MEDIUM] CWE-601 Drupal Core Open Redirect vulnerability Drupal Core Open Redirect vulnerability Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
ghsaosv
CVE-2026-6365P4MEDIUM≥ 8.0.0, < 10.5.9≥ 10.6.0, < 10.6.7+2 more2026-05-20
CVE-2026-6365 [MEDIUM] CWE-79 Drupal core is Vulnerable to Cross-Site Scripting Drupal core is Vulnerable to Cross-Site Scripting Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
ghsa
CVE-2026-6367P4MEDIUM≥ 11.3.0, < 11.3.72026-05-20
CVE-2026-6367 [MEDIUM] CWE-79 Drupal core allows Cross-Site Scripting (XSS) Drupal core allows Cross-Site Scripting (XSS) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
ghsa
CVE-2017-6927P4MEDIUM≥ 8.4.0, < 8.4.5≥ 7.0, < 7.572022-05-14
CVE-2017-6927 [MEDIUM] CWE-79 Drupal cross-site scripting vulnerability Drupal cross-site scripting vulnerability Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting v
ghsaosv
CVE-2017-6929P4MEDIUM≥ 7.0, < 7.57≥ 8.0, < 8.4.02022-05-14
CVE-2017-6929 [MEDIUM] CWE-79 Drupal cross site scripting vulnerability Drupal cross site scripting vulnerability A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57)
ghsaosv
CVE-2025-31675P4LOW≥ 8.0.0, < 10.3.14≥ 10.4.0, < 10.4.5+2 more2025-04-01
CVE-2025-31675 [LOW] CWE-79 Drupal Core Cross-Site Scripting (XSS) Vulnerability Drupal Core Cross-Site Scripting (XSS) Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
ghsaosv
CVE-2025-3057P4MEDIUM≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-04-01
CVE-2025-3057 [MEDIUM] CWE-79 Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
ghsaosv
CVE-2016-7572P4MEDIUM≥ 8.0, < 8.1.102022-05-17
CVE-2016-7572 [MEDIUM] Drupal Unprivileged access to config export Drupal Unprivileged access to config export The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.
ghsaosv
CVE-2016-7571P4MEDIUM≥ 8.0, < 8.1.102022-05-17
CVE-2016-7571 [MEDIUM] CWE-79 Drupal Cross-site scripting (XSS) vulnerability Drupal Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.
ghsaosv
Drupal Core vulnerabilities | cvebase