📦 Drupal

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when untrusted data is deserialized. While not directly exploitable on its own, it provides a vector for re...

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data is deserialized. While the chain itself isn't directly exploitable, it can be leveraged for remote co...

CVE-2020-13675 is a critical access bypass vulnerability in Drupal's JSON:API and REST/File modules that allows attackers to upload files without proper validation. This affects Drupal sites using the...

This vulnerability allows attackers to bypass access controls in Drupal Core's JSON:API module when configured in read/write mode. Attackers could potentially perform unauthorized operations like crea...

This CVE describes an object injection vulnerability in Drupal core that allows attackers to modify dynamically-determined object attributes improperly. Attackers could potentially execute arbitrary c...

This vulnerability in Drupal Core allows attackers to escalate privileges, potentially gaining administrative access to Drupal sites. It affects Drupal installations running vulnerable versions from 8...

A denial-of-service vulnerability in Drupal Core allows attackers to cause excessive resource allocation through specially crafted requests. This affects Drupal sites running versions 10.2.0-10.2.1 an...

This CVE describes a vulnerability in Drupal's handling of structural elements that could allow an attacker to trigger a denial-of-service condition. The vulnerability affects Drupal core installation...

Drupal's JSON:API module can expose sensitive error backtraces that may be cached and accessible to anonymous users. This information disclosure vulnerability could lead to privilege escalation by rev...

This vulnerability allows attackers to bypass Drupal's filename sanitization when .htaccess files are explicitly allowed for upload, potentially leading to remote code execution on Apache servers. It ...

This vulnerability in Drupal's form API allows attackers to bypass input validation on certain contributed or custom module forms. Attackers could inject disallowed values or overwrite data, potential...

This vulnerability allows unauthorized access to image files stored in non-standard file systems when insecure derivatives are enabled. It affects Drupal sites using contributed modules that implement...

Guzzle HTTP client versions before 6.5.7 and 7.4.4 expose sensitive cookie information during HTTP redirects. When a request to an HTTPS server redirects to HTTP or to a different host, manually added...

Guzzle PHP HTTP client versions prior to 6.5.6 and 7.4.3 have a cookie domain validation vulnerability that allows malicious servers to set cookies for unrelated domains. Only applications that manual...

This vulnerability in Drupal core's form API allows improper input validation in certain contributed or custom module forms. Attackers could inject disallowed values or overwrite data, potentially alt...

This vulnerability allows attackers to access metadata of private files in Drupal by guessing file IDs, potentially exposing sensitive information. It affects Drupal Core versions 8.8.x before 8.8.10,...

CVE-2020-13677 is an access control vulnerability in Drupal's JSON:API module that allows attackers to bypass intended content restrictions. This affects Drupal sites with the JSON:API module enabled,...

This CVE describes an arbitrary PHP code execution vulnerability in Drupal Core that allows attackers to create specially named directories on the file system. When combined with brute force technique...

This CVE describes a UI misrepresentation vulnerability in Drupal core that allows content spoofing. Attackers can manipulate the user interface to display misleading information, potentially tricking...

This vulnerability in Drupal core allows attackers to bypass access controls through forceful browsing, potentially accessing restricted content or functionality. It affects Drupal sites running vulne...

This CVE describes an object injection vulnerability in Drupal core that allows attackers to modify dynamically-determined object attributes improperly. It affects Drupal sites running vulnerable vers...

This Cross-Site Scripting (XSS) vulnerability in Drupal core allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal installations running vulnerable versi...

This CVE describes a cross-site scripting (XSS) vulnerability in Drupal core that allows attackers to inject malicious scripts into web pages. The vulnerability affects Drupal installations running af...

This CVE describes an incorrect authorization vulnerability in Drupal core that allows forceful browsing (accessing restricted pages without proper permissions). It affects Drupal sites running vulner...

This Cross-Site Scripting (XSS) vulnerability in Drupal Core allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal sites running versions 8.8.0 through 1...

This vulnerability in Drupal 11.x-dev allows Full Path Disclosure when the hash_salt configuration points to a non-existent file. Attackers can exploit this to reveal the server's full filesystem path...

This vulnerability in Drupal core allows attackers to exploit web browser caching to access sensitive information that should be protected. It affects Drupal sites with misconfigured access controls, ...