Drupal Core vulnerabilities
108 known vulnerabilities affecting drupal/core.
Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7
Vulnerabilities
Page 5 of 6
CVE-2022-24728P4MEDIUMCVSS 5.4≥ 8.0.0, < 9.2.15≥ 9.3.0, < 9.3.82022-03-16
CVE-2022-24728 [MEDIUM] CVE-2022-24728: The Drupal project uses the [CKEditor](https://github
The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/).
Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content
osv
CVE-2016-3170P4MEDIUM≥ 7.0, < 7.43≥ 8.0, < 8.0.42022-05-17
CVE-2016-3170 [MEDIUM] CWE-200 Drupal sensitive information disclosure
Drupal sensitive information disclosure
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
ghsaosv
CVE-2020-13672P4MEDIUMCVSS 6.1≥ 9.1.x, < 9.1.7≥ 9.0.x, < 9.0.12+2 more2022-02-11
CVE-2020-13672 [MEDIUM] CWE-79 CVE-2020-13672: Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
ghsanvdosv
CVE-2018-9861P4MEDIUM≥ 8.5.0, < 8.5.2≥ 8.0, < 8.4.72022-05-14
CVE-2018-9861 [MEDIUM] CWE-79 Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)
Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)
The Enhanced Image (aka [image2](https://github.com/ckeditor/ckeditor4/tree/master/plugins/image2)) plugin for CKEditor in versions 4.5.10 through 4.9.1; fixed in 4.9.2, and as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, is vulnerable to cross-site scripting because it allows remot
ghsaosv
CVE-2016-3167P4HIGH≥ 6.0, < 6.382022-05-17
CVE-2016-3167 [HIGH] CWE-601 Drupal Open redirect vulnerability in the drupal_goto function
Drupal Open redirect vulnerability in the drupal_goto function
Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
ghsaosv
CVE-2020-13688P4MEDIUM≥ 8.8.0, < 8.8.10≥ 8.9.0, < 8.9.6+1 more2022-05-24
CVE-2020-13688 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability
Drupal Core Cross-site scripting vulnerability
Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
ghsaosv
CVE-2022-25276P4MEDIUMCVSS 6.1≥ 9.4, < 9.4.3≥ 9.3, < 9.3.192023-04-26
CVE-2022-25276 [MEDIUM] CWE-79 CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows emb
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
ghsanvdosv
CVE-2019-10909P4MEDIUMCVSS 5.4≥ 8.0.0, < 8.5.15≥ 8.6.0, < 8.6.152019-11-12
CVE-2019-10909 [MEDIUM] CWE-79 Symfony Cross-site Scripting (XSS) vulnerability
Symfony Cross-site Scripting (XSS) vulnerability
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
ghsaosv
CVE-2016-6212P4MEDIUM≥ 8.0, < 8.1.32022-05-17
CVE-2016-6212 [MEDIUM] CWE-200 Drupal Views can allow unauthorized users to see Statistics information
Drupal Views can allow unauthorized users to see Statistics information
The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.
ghsaosv
CVE-2016-9452P4MEDIUM≥ 8.0, < 8.2.32022-05-17
CVE-2016-9452 [MEDIUM] CWE-20 Drupal Denial of service via transliterate mechanism
Drupal Denial of service via transliterate mechanism
The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.
ghsaosv
CVE-2016-7570P4MEDIUM≥ 8.0.0, < 8.1.102022-05-17
CVE-2016-7570 [MEDIUM] CWE-269 Drupal Users without "Administer comments" can set comment visibility on nodes they can edit
Drupal Users without "Administer comments" can set comment visibility on nodes they can edit
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
ghsaosv
CVE-2020-13662P4MEDIUM≥ 7.0.0, < 7.702022-05-24
CVE-2020-13662 [MEDIUM] CWE-601 Drupal Core Open Redirect vulnerability
Drupal Core Open Redirect vulnerability
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
ghsaosv
CVE-2026-6365P4MEDIUM≥ 8.0.0, < 10.5.9≥ 10.6.0, < 10.6.7+2 more2026-05-20
CVE-2026-6365 [MEDIUM] CWE-79 Drupal core is Vulnerable to Cross-Site Scripting
Drupal core is Vulnerable to Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
ghsa
CVE-2026-6367P4MEDIUM≥ 11.3.0, < 11.3.72026-05-20
CVE-2026-6367 [MEDIUM] CWE-79 Drupal core allows Cross-Site Scripting (XSS)
Drupal core allows Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
ghsa
CVE-2017-6927P4MEDIUM≥ 8.4.0, < 8.4.5≥ 7.0, < 7.572022-05-14
CVE-2017-6927 [MEDIUM] CWE-79 Drupal cross-site scripting vulnerability
Drupal cross-site scripting vulnerability
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting v
ghsaosv
CVE-2017-6929P4MEDIUM≥ 7.0, < 7.57≥ 8.0, < 8.4.02022-05-14
CVE-2017-6929 [MEDIUM] CWE-79 Drupal cross site scripting vulnerability
Drupal cross site scripting vulnerability
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57)
ghsaosv
CVE-2025-31675P4LOW≥ 8.0.0, < 10.3.14≥ 10.4.0, < 10.4.5+2 more2025-04-01
CVE-2025-31675 [LOW] CWE-79 Drupal Core Cross-Site Scripting (XSS) Vulnerability
Drupal Core Cross-Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
ghsaosv
CVE-2025-3057P4MEDIUM≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-04-01
CVE-2025-3057 [MEDIUM] CWE-79 Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
ghsaosv
CVE-2016-7572P4MEDIUM≥ 8.0, < 8.1.102022-05-17
CVE-2016-7572 [MEDIUM] Drupal Unprivileged access to config export
Drupal Unprivileged access to config export
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.
ghsaosv
CVE-2016-7571P4MEDIUM≥ 8.0, < 8.1.102022-05-17
CVE-2016-7571 [MEDIUM] CWE-79 Drupal Cross-site scripting (XSS) vulnerability
Drupal Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.
ghsaosv