Drupal Core vulnerabilities

CVE-2025-13080 [MEDIUM] CWE-754 CVE-2025-13080: Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forc Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CVE-2025-13081 [MEDIUM] CWE-915 CVE-2025-13081: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drup Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CVE-2025-13082 [MEDIUM] CWE-451 Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

CVE-2025-13083 [LOW] CWE-525 CVE-2025-13083: Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.

CVE-2025-31674 [HIGH] CWE-915 CVE-2025-31674: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drup Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

CVE-2025-3057 [MEDIUM] CWE-79 CVE-2025-3057: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

CVE-2025-31673 [MEDIUM] CWE-863 CVE-2025-31673: Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affe Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

CVE-2025-31675 [MEDIUM] CWE-79 CVE-2025-31675: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.

CVE-2024-55637 [CRITICAL] CWE-915 CVE-2024-55637: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue af Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget

CVE-2024-55636 [CRITICAL] CWE-915 CVE-2024-55636: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue af Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget

CVE-2024-55638 [CRITICAL] CWE-915 CVE-2024-55638: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue af Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget cha

CVE-2024-55634 [HIGH] CWE-178 CVE-2024-55634: A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0. A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-12393 [MEDIUM] CWE-79 CVE-2024-12393: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVE-2024-55635 [MEDIUM] CWE-79 CVE-2024-55635: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.

CVE-2024-11941 [HIGH] CWE-835 CVE-2024-11941: A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2 A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.

CVE-2024-11942 [MEDIUM] CWE-390 CVE-2024-11942: A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.

CVE-2024-45440 [MEDIUM] CWE-209 CVE-2024-45440: core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

CVE-2020-13663 [HIGH] CWE-352 CVE-2020-13663: Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain fo Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

CVE-2020-13688 [MEDIUM] CWE-79 CVE-2020-13688: Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that H Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

CVE-2020-13667 [MEDIUM] CWE-276 CVE-2020-13667: Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without c Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the cont