Critical severity9.8CISA KEVNVD Advisory· Published Mar 29, 2018· Updated Jun 17, 2026
CVE-2018-7600
CVE-2018-7600
Description
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 7.0, < 7.58 | 7.58 |
drupal/corePackagist | >= 8.0, < 8.3.9 | 8.3.9 |
drupal/corePackagist | >= 8.4.0, < 8.4.6 | 8.4.6 |
drupal/corePackagist | >= 8.5.0, < 8.5.1 | 8.5.1 |
drupal/drupalPackagist | >= 7.0, < 7.58 | 7.58 |
drupal/drupalPackagist | >= 8.0, < 8.3.9 | 8.3.9 |
drupal/drupalPackagist | >= 8.4, < 8.4.6 | 8.4.6 |
drupal/drupalPackagist | >= 8.5, < 8.5.1 | 8.5.1 |
Affected products
2- ghsa-coords2 versions
>= 7.0, < 7.58+ 1 more
- (no CPE)range: >= 7.0, < 7.58
- (no CPE)range: >= 7.0, < 7.58
Patches
Vulnerability mechanics
References
28- research.checkpoint.com/uncovering-drupalgeddon-2/nvdExploitThird Party Advisory
- www.exploit-db.com/exploits/44448/nvdExploitThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/44449/nvdExploitThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/44482/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/103534nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1040598nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/nvdBroken LinkThird Party Advisory
- blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-7fh9-933g-885pghsaADVISORY
- greysec.net/showthread.phpnvdBroken LinkIssue TrackingThird Party AdvisoryWEB
- groups.drupal.org/security/faq-2018-002nvdVendor AdvisoryWEB
- lists.debian.org/debian-lts-announce/2018/03/msg00028.htmlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-7600ghsaADVISORY
- twitter.com/RicterZ/status/979567469726613504nvdBroken LinkThird Party AdvisoryWEB
- twitter.com/RicterZ/status/984495201354854401nvdBroken LinkThird Party AdvisoryWEB
- twitter.com/arancaytar/status/979090719003627521nvdThird Party AdvisoryWEB
- www.debian.org/security/2018/dsa-4156nvdThird Party AdvisoryWEB
- www.drupal.org/sa-core-2018-002nvdVendor AdvisoryWEB
- www.synology.com/support/security/Synology_SA_18_17nvdThird Party AdvisoryWEB
- www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-knownvdThird Party AdvisoryWEB
- badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7600.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7600.yamlghsaWEB
- research.checkpoint.com/uncovering-drupalgeddon-2ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.exploit-db.com/exploits/44448ghsaWEB
- www.exploit-db.com/exploits/44449ghsaWEB
- www.exploit-db.com/exploits/44482ghsaWEB
News mentions
1- CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)Tenable Blog · May 21, 2026