Critical severityCISA KEVNVD Advisory· Published Jul 19, 2018· Updated Dec 17, 2025

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

CVE-2018-7602

Description

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 7.0, < 7.59	7.59
drupal/corePackagist	>= 8.0, < 8.4.8	8.4.8
drupal/corePackagist	>= 8.5, < 8.5.3	8.5.3
drupal/drupalPackagist	>= 7.0, < 7.59	7.59
drupal/drupalPackagist	>= 8.0, < 8.4.8	8.4.8
drupal/drupalPackagist	>= 8.5, < 8.5.3	8.5.3

Affected products

Drupal/corev5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/44542/mitreexploitx_refsource_EXPLOIT-DB
www.exploit-db.com/exploits/44557/mitreexploitx_refsource_EXPLOIT-DB
github.com/advisories/GHSA-297x-j9pm-xjggghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-7602ghsaADVISORY
www.debian.org/security/2018/dsa-4180ghsavendor-advisoryx_refsource_DEBIANWEB
www.securityfocus.com/bid/103985mitrevdb-entryx_refsource_BID
www.securitytracker.com/id/1040754mitrevdb-entryx_refsource_SECTRACK
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7602.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7602.yamlghsaWEB
lists.debian.org/debian-lts-announce/2018/04/msg00030.htmlghsamailing-listx_refsource_MLISTWEB
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
www.drupal.org/sa-core-2018-004ghsax_refsource_CONFIRMWEB
www.exploit-db.com/exploits/44542ghsaWEB
www.exploit-db.com/exploits/44557ghsaWEB

News mentions

No linked articles in our index yet.

Severity

criticalFrom advisory

Numeric CVSS not yet published. Severity reported by the issuing advisory.

EPSS

Probability of exploitation in the next 30 days.

94.38%

VYPR risk score

Composite of severity, exploitation, and reach.

0.87critical

cvss	0.585
epss	0.076
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060

Weaknesses

No CWEs mapped.

CVE ID

CVE-2018-7602

Source code

github.com/drupal/core

Credits

AP
Alex Pott
finder
DR
David Rothstein
finder
HD
Heine Deelstra
finder
JM
Jasper Mattsson
finder
AP
Alex Pott
remediation developer
CW
Cash Williams
remediation developer
DW
Daniel Wehner
remediation developer
DR
David Rothstein
remediation developer
HD
Heine Deelstra
remediation developer
JM
Jasper Mattsson
remediation developer
LR
Lee Rowlands
remediation developer
MH
Michael Hess
remediation developer
NL
Nate Lampton
remediation developer
ND
Neil Drumm
remediation developer
PO
Pere Orga
remediation developer
PW
Peter Wolanin
remediation developer
SM
Samuel Mortenson
remediation developer
TP
Tim Plunkett
remediation developer
X
xjm
remediation developer