Drupal Core vulnerabilities
108 known vulnerabilities affecting drupal/core.
Total CVEs
108
CISA KEV
6
actively exploited
Public exploits
8
Exploited in wild
9
Severity breakdown
CRITICAL10HIGH35MEDIUM51LOW5UNKNOWN7
Vulnerabilities
Page 6 of 6
CVE-2025-31673P4MEDIUM≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-04-01
CVE-2025-31673 [MEDIUM] CWE-863 Drupal Core Vulnerable to Forceful Browsing
Drupal Core Vulnerable to Forceful Browsing
Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
ghsaosv
CVE-2016-9451P4MEDIUM≥ 7.0, < 7.52≥ 8.0, < 8.2.32022-05-17
CVE-2016-9451 [MEDIUM] CWE-601 Drupal Open Redirect
Drupal Open Redirect
Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
ghsaosv
CVE-2024-12393P4MEDIUM≥ 8.8.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-12393 [MEDIUM] CWE-79 Drupal Core Cross-Site Scripting (XSS)
Drupal Core Cross-Site Scripting (XSS)
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
ghsaosv
CVE-2020-13673P4UNKNOWN≥ 8.0.0, < 8.9.19≥ 9.1.0, < 9.1.13+1 more2021-09-15
CVE-2020-13673 CVE-2020-13673: The Drupal core Media module allows embedding internal and external media in content fields
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.
This advisory is not covered by [Drupal Steward](/steward).
osv
CVE-2017-6932P4MEDIUM≥ 7.0, < 7.572022-05-14
CVE-2017-6932 [MEDIUM] CWE-601 Drupal external link injection vulnerability
Drupal external link injection vulnerability
Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.
ghsaosv
CVE-2016-9449P4MEDIUM≥ 7.0, < 7.52≥ 8.0, < 8.2.32022-05-17
CVE-2016-9449 [MEDIUM] CWE-200 Drupal sensitive information disclosure
Drupal sensitive information disclosure
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
ghsaosv
CVE-2025-13083P4LOW≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+3 more2025-11-18
CVE-2025-13083 [LOW] CWE-525 Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.
ghsaosv
CVE-2025-13082LOW≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+2 more2025-11-18
CVE-2025-13082 [LOW] CWE-451 Drupal core allows Content Spoofing
Drupal core allows Content Spoofing
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
ghsaosv
← Previous6 / 6