Drupal Security Vulnerabilities (CVEs)

This CVE describes a UI misrepresentation vulnerability in Drupal core that allows content spoofing. Attackers can manipulate the user interface to di...

This vulnerability in Drupal core allows attackers to exploit web browser caching to access sensitive information that should be protected. It affects...

This vulnerability in Drupal core allows attackers to bypass access controls through forceful browsing, potentially accessing restricted content or fu...

This CVE describes an object injection vulnerability in Drupal core that allows attackers to modify dynamically-determined object attributes improperl...

This vulnerability allows attackers to inject malicious scripts into web pages generated by Drupal COOKiES Consent Management module, which could exec...

This CVE describes a missing authentication vulnerability in Drupal Panels that allows attackers to bypass access controls on critical functions. Atta...

This Cross-Site Scripting (XSS) vulnerability in Drupal core allows attackers to inject malicious scripts into web pages viewed by other users. It aff...

This OS command injection vulnerability in Drupal AI allows attackers to execute arbitrary operating system commands on the server. It affects Drupal ...

This CVE describes a cross-site scripting (XSS) vulnerability in Drupal core that allows attackers to inject malicious scripts into web pages. The vul...

This CVE describes an incorrect authorization vulnerability in Drupal core that allows forceful browsing (accessing restricted pages without proper pe...

This CVE describes an object injection vulnerability in Drupal core that allows attackers to modify dynamically-determined object attributes improperl...

This Cross-Site Scripting (XSS) vulnerability in Drupal Core allows attackers to inject malicious scripts into web pages viewed by other users. It aff...

This vulnerability in Drupal Core allows attackers to escalate privileges, potentially gaining administrative access to Drupal sites. It affects Drupa...

A denial-of-service vulnerability in Drupal Core allows attackers to cause excessive resource allocation through specially crafted requests. This affe...

This vulnerability in Drupal 11.x-dev allows Full Path Disclosure when the hash_salt configuration points to a non-existent file. Attackers can exploi...

This CVE describes a vulnerability in Drupal's handling of structural elements that could allow an attacker to trigger a denial-of-service condition. ...

Drupal's JSON:API module can expose sensitive error backtraces that may be cached and accessible to anonymous users. This information disclosure vulne...

This vulnerability allows attackers to bypass Drupal's filename sanitization when .htaccess files are explicitly allowed for upload, potentially leadi...

This vulnerability in Drupal's form API allows attackers to bypass input validation on certain contributed or custom module forms. Attackers could inj...

This vulnerability allows unauthorized access to image files stored in non-standard file systems when insecure derivatives are enabled. It affects Dru...

Guzzle HTTP client versions before 6.5.7 and 7.4.4 expose sensitive cookie information during HTTP redirects. When a request to an HTTPS server redire...

Guzzle PHP HTTP client versions prior to 6.5.6 and 7.4.3 have a cookie domain validation vulnerability that allows malicious servers to set cookies fo...

This vulnerability in Drupal core's form API allows improper input validation in certain contributed or custom module forms. Attackers could inject di...

This vulnerability allows attackers to access metadata of private files in Drupal by guessing file IDs, potentially exposing sensitive information. It...

CVE-2020-13677 is an access control vulnerability in Drupal's JSON:API module that allows attackers to bypass intended content restrictions. This affe...

This CVE describes an arbitrary PHP code execution vulnerability in Drupal Core that allows attackers to create specially named directories on the fil...