Drupal

This hub aggregates every CVE we track for Drupal, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Drupal.

• CVE-2026-9082Drupal core - Highly critical - SQL injection - SA-CORE-2026-004KEV6.5May 20, 2026
• CVE-2026-6367Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-0036.1May 19, 2026
• CVE-2026-6366Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-0026.6May 19, 2026
• CVE-2026-6365Drupal core - Critical - Cross-site scripting - SA-CORE-2026-0016.1May 19, 2026
• CVE-2025-12848XSS vulnerability when rendering filename in Webform Multiform6.1Nov 26, 2025
• CVE-2025-12761Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-1163.5Nov 18, 2025
• CVE-2025-12760Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-1155.4Nov 18, 2025
• CVE-2025-13083Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-0083.7Nov 18, 2025
• CVE-2025-13082Drupal core - Moderately critical - Defacement - SA-CORE-2025-0074.3Nov 18, 2025
• CVE-2025-13081Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-0065.9Nov 18, 2025
• CVE-2025-13080Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-0055.3Nov 18, 2025
• CVE-2025-12466Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-1147.5Oct 29, 2025
• CVE-2025-12083CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-1136.1Oct 29, 2025
• CVE-2025-12082CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-1127.5Oct 29, 2025
• CVE-2025-10929Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-1115.3Oct 29, 2025