Drupal Core vulnerabilities
41 known vulnerabilities affecting drupal/drupal_core.
Total CVEs
41
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
4
Severity breakdown
CRITICAL7HIGH12MEDIUM21LOW1
Vulnerabilities
Page 2 of 3
CVE-2020-13663P3HIGHCVSS 8.8≥ 7.x, < 7.72≥ 8.8.x, < 8.8.8+2 more2021-06-11
CVE-2020-13663 [HIGH] CWE-352 CVE-2020-13663: Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain fo
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
nvd
CVE-2017-6923P3MEDIUMCVSS 6.5≥ 8.x, < 8.3.72019-01-22
CVE-2017-6923 [MEDIUM] CWE-862 CVE-2017-6923: In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the display
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form o
nvd
CVE-2025-13081P3MEDIUMCVSS 5.9≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+2 more2025-11-18
CVE-2025-13081 [MEDIUM] CWE-915 CVE-2025-13081: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drup
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
nvd
CVE-2017-6921P4MEDIUMCVSS 5.9≥ Drupal 8, < 8.3.42019-01-15
CVE-2017-6921 [MEDIUM] CWE-20 CVE-2017-6921: In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manip
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to
nvd
CVE-2019-6341P4MEDIUMCVSS 5.4≥ Drupal 7, < 7.65≥ Drupal 8.6, < 8.6.13+1 more2019-03-26
CVE-2019-6341 [MEDIUM] CWE-79 CVE-2019-6341: In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
nvd
CVE-2024-11942P3MEDIUMCVSS 5.9≥ 10.0.0, < 10.2.102024-12-05
CVE-2024-11942 [MEDIUM] CWE-390 CVE-2024-11942: A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
nvd
CVE-2017-6379P4HIGHCVSS 7.5v8.2.x versions before 8.2.72017-03-16
CVE-2017-6379 [HIGH] CWE-352 CVE-2017-6379: Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This wou
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
nvd
CVE-2020-13666P4MEDIUMCVSS 6.1≥ 7.x, < 7.73≥ 8.8.x, < 8.8.10+2 more2021-05-05
CVE-2020-13666 [MEDIUM] CWE-79 CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
nvd
CVE-2025-13080P4MEDIUMCVSS 5.3≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+2 more2025-11-18
CVE-2025-13080 [MEDIUM] CWE-754 CVE-2025-13080: Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forc
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
nvd
CVE-2020-13667P4MEDIUMCVSS 5.3≥ 8.8.X, < 8.8.10≥ 8.9.X, < 8.9.6+1 more2021-05-17
CVE-2020-13667 [MEDIUM] CWE-276 CVE-2020-13667: Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without c
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the cont
nvd
CVE-2020-13688P4MEDIUMCVSS 6.1≥ 8.8.X, < 8.8.10≥ 8.9.X, < 8.9.6+1 more2021-06-11
CVE-2020-13688 [MEDIUM] CWE-79 CVE-2020-13688: Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that H
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
nvd
CVE-2020-13662P4MEDIUMCVSS 6.1≥ 7, ≤ 7.702021-05-05
CVE-2020-13662 [MEDIUM] CWE-601 CVE-2020-13662: Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially cra
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
nvd
CVE-2026-6365P4MEDIUMCVSS 6.1≥ 8.0.0, < 10.5.9≥ 10.6.0, < 10.6.7+2 more2026-05-19
CVE-2026-6365 [MEDIUM] CWE-79 CVE-2026-6365: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability i
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
nvd
CVE-2026-6367P4MEDIUMCVSS 6.1≥ 11.3.0, < 11.3.72026-05-19
CVE-2026-6367 [MEDIUM] CWE-79 CVE-2026-6367: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability i
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).
This issue affects Drupal core: from 11.3.0 before 11.3.7.
nvd
CVE-2025-3057P4MEDIUMCVSS 6.1≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-03-31
CVE-2025-3057 [MEDIUM] CWE-79 CVE-2025-3057: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
nvd
CVE-2025-31675P4MEDIUMCVSS 5.4≥ 8.0.0, < 10.3.14≥ 10.4.0, < 10.4.5+2 more2025-03-31
CVE-2025-31675 [MEDIUM] CWE-79 CVE-2025-31675: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.
nvd
CVE-2025-31673P4MEDIUMCVSS 4.6≥ 8.0.0, < 10.3.13≥ 10.4.0, < 10.4.3+2 more2025-03-31
CVE-2025-31673 [MEDIUM] CWE-863 CVE-2025-31673: Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affe
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
nvd
CVE-2024-55635P4MEDIUMCVSS 6.1≥ 7.0, < 7.1022024-12-10
CVE-2024-55635 [MEDIUM] CWE-79 CVE-2024-55635: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
nvd
CVE-2024-12393P4MEDIUMCVSS 5.4≥ 8.8.0, < 10.2.11≥ 10.3.0, < 10.3.9+1 more2024-12-10
CVE-2024-12393 [MEDIUM] CWE-79 CVE-2024-12393: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
nvd
CVE-2025-13083P4LOWCVSS 3.7≥ 8.0.0, < 10.4.9≥ 10.5.0, < 10.5.6+3 more2025-11-18
CVE-2025-13083 [LOW] CWE-525 CVE-2025-13083: Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
nvd