High severityCISA KEVNVD Advisory· Published Nov 20, 2020· Updated Oct 21, 2025
CVE-2020-13671
CVE-2020-13671
Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 9.0.0, < 9.0.8 | 9.0.8 |
drupal/corePackagist | >= 8.9.0, < 8.9.9 | 8.9.9 |
drupal/corePackagist | >= 8.0.0, < 8.8.11 | 8.8.11 |
drupal/corePackagist | >= 7.0.0, < 7.74 | 7.74 |
drupal/drupalPackagist | >= 7.0.0, < 7.74 | 7.74 |
drupal/drupalPackagist | >= 8.0.0, < 8.8.11 | 8.8.11 |
drupal/drupalPackagist | >= 8.9.0, < 8.9.9 | 8.9.9 |
drupal/drupalPackagist | >= 9.0.0, < 9.0.8 | 9.0.8 |
Affected products
4- osv-coords3 versions
>= 7.0.0, < 7.74.0+ 2 more
- (no CPE)range: >= 7.0.0, < 7.74.0
- (no CPE)range: >= 9.0.0, < 9.0.8
- (no CPE)range: >= 7.0.0, < 7.74
- Range: 9.0 versions prior to 9.0.8
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-68jc-v27h-vhmwghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-13671ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUTghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUTghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.drupal.org/sa-core-2020-012ghsax_refsource_CONFIRMWEB
News mentions
1- CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)Tenable Blog · May 21, 2026