cbcvebase.

Drupal Core vulnerabilities

41 known vulnerabilities affecting drupal/drupal_core.

Total CVEs
41
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
4
Severity breakdown
CRITICAL7HIGH12MEDIUM21LOW1

Vulnerabilities

Page 1 of 3
CVE-2026-9082P1CRITICALCVSS 9.8KEVPoC≥ 8.9.0, < 10.4.10≥ 10.5.0, < 10.5.10+4 more2026-05-20
CVE-2026-9082 [CRITICAL] CWE-89 CVE-2026-9082: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
nvd
CVE-2019-6340P1HIGHCVSS 8.1KEVPoC≥ 8.5, < 8.5.11≥ 8.6, < 8.6.102019-02-21
CVE-2019-6340 [HIGH] CWE-502 CVE-2019-6340: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 a Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PAT
nvd
CVE-2020-13671P1HIGHCVSS 8.8KEVRansomwarev9.0 versions prior to 9.0.8v8.9 versions prior to 8.9.9+2 more2020-11-20
CVE-2020-13671 [HIGH] CWE-434 CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8
nvd
CVE-2017-6922P2MEDIUMCVSS 6.5Exploited≥ Drupal 8, < 8.3.3≥ Drupal 7, < 7.552019-01-22
CVE-2017-6922 [MEDIUM] CWE-552 CVE-2017-6922: In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been up In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access
nvd
CVE-2018-1000888P2HIGHCVSS 8.8PoC≥ 7.x, < 7.62≥ 8.6.x, < 8.6.6.+1 more2018-12-28
CVE-2018-1000888 [HIGH] CWE-502 CVE-2018-1000888: PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_ PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `ph
nvd
CVE-2019-6339P2CRITICALCVSS 9.8≥ 7.x, < 7.62≥ 8.6.x, < 8.6.6.+1 more2019-01-22
CVE-2019-6339 [CRITICAL] CWE-20 CVE-2019-6339: In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote c In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input,
nvd
CVE-2024-55638P2CRITICALCVSS 9.8≥ 7.0, < 7.102≥ 8.0.0, < 10.2.11+1 more2024-12-10
CVE-2024-55638 [CRITICAL] CWE-915 CVE-2024-55638: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue af Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget cha
nvd
CVE-2024-45440P3MEDIUMCVSS 5.3PoCvv11.x-dev2024-08-29
CVE-2024-45440 [MEDIUM] CWE-209 CVE-2024-45440: core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
nvd
CVE-2024-55636P2CRITICALCVSS 9.8≥ 8.0.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55636 [CRITICAL] CWE-915 CVE-2024-55636: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue af Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget
nvd
CVE-2024-55637P2CRITICALCVSS 9.8≥ 8.0.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55637 [CRITICAL] CWE-915 CVE-2024-55637: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue af Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget
nvd
CVE-2020-13665P3CRITICALCVSS 9.8≥ 8.8.x, < 8.8.8≥ 8.9.x, < 8.9.1+1 more2021-05-05
CVE-2020-13665 [CRITICAL] CVE-2020-13665: Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
nvd
CVE-2020-13664P3HIGHCVSS 8.8≥ 8.8.x, < 8.8.8≥ 8.9.x, < 8.9.1+1 more2021-05-05
CVE-2020-13664 [HIGH] CWE-77 CVE-2020-13664: Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker c Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows
nvd
CVE-2019-6342P3CRITICALCVSS 9.8vDrupal 8 8.7.42020-05-28
CVE-2019-6342 [CRITICAL] CVE-2019-6342: An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is en An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
nvd
CVE-2024-55634P3HIGHCVSS 8.1≥ 8.0.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-55634 [HIGH] CWE-178 CVE-2024-55634: A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0. A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
nvd
CVE-2017-6381P3HIGHCVSS 8.1v8.2.x versions before 8.2.72017-03-16
CVE-2017-6381 [HIGH] CWE-829 CVE-2017-6381: A 3rd party development library including with Drupal 8 development dependencies is vulnerable to re A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.
nvd
CVE-2025-31674P3HIGHCVSS 7.5≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-03-31
CVE-2025-31674 [HIGH] CWE-915 CVE-2025-31674: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drup Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
nvd
CVE-2017-6924P3HIGHCVSS 7.4≥ Drupal 8, < 8.3.72019-01-15
CVE-2017-6924 [HIGH] CWE-269 CVE-2017-6924: In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post c In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker
nvd
CVE-2017-6377P3HIGHCVSS 7.5v8.2.x versions before 8.2.72017-03-16
CVE-2017-6377 [HIGH] CWE-863 CVE-2017-6377: When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctl When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
nvd
CVE-2024-11941P3HIGHCVSS 7.5≥ 10.2.0, < 10.2.2≥ 10.1.0, < 10.1.82024-12-05
CVE-2024-11941 [HIGH] CWE-835 CVE-2024-11941: A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2 A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
nvd
CVE-2026-6366P3MEDIUMCVSS 6.6≥ 8.0.0, < 10.5.9≥ 10.6.0, < 10.6.7+2 more2026-05-19
CVE-2026-6366 [MEDIUM] CWE-915 CVE-2026-6366: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drup Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
nvd
Drupal Core vulnerabilities | cvebase