Drupal/drupal

This hub aggregates every CVE we track for Drupal/drupal, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Drupal/drupal.

• CVE-2024-55638Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-0089.8Dec 9, 2024
• CVE-2024-55637Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-0079.8Dec 9, 2024
• CVE-2024-55636Drupal core - Less critical - Gadget chain - SA-CORE-2024-0069.8Dec 9, 2024
• CVE-2024-55634Drupal core - Moderately critical - Access bypass - SA-CORE-2024-0048.1Dec 9, 2024
• CVE-2024-12393Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-0035.4Dec 9, 2024
• CVE-2024-45440core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.5.3Aug 29, 2024
• CVE-2020-13670Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the...7.5Feb 11, 2022
• CVE-2020-13672Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions ...6.1Feb 11, 2022
• CVE-2020-13669Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9....6.1Feb 11, 2022
• CVE-2020-13668Access bypass in Drupal Core 8/96.1Feb 11, 2022
• CVE-2020-13663Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.8.8Jun 11, 2021
• CVE-2021-33829A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafte...6.1Jun 9, 2021
• CVE-2020-13667Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when swit...5.3May 17, 2021
• CVE-2020-13664Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefu...8.8May 5, 2021
• CVE-2020-13662Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drup...6.1May 5, 2021