Moderate severityNVD Advisory· Published Jan 16, 2024· Updated Jun 20, 2025

CVE-2024-22362

Description

Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal 9.3.6 is vulnerable to improper handling of structural elements that can lead to a denial-of-service (DoS) condition via network access without authentication.

Vulnerability

Overview

CVE-2024-22362 describes an improper handling of structural elements vulnerability (CWE-237) in Drupal. The issue was confirmed in Drupal version 9.3.6, where the software fails to properly manage structural inputs, allowing an attacker to trigger a denial-of-service (DoS) condition [1][2].

Exploitation

Details

The vulnerability is exploitable remotely over the network without any authentication (AV:N/AC:L/PR:N/UI:N/S:U). The attack complexity is low, and no user interaction is required. The attacker can send crafted structural elements to the Drupal instance, causing resource exhaustion or crash [2].

Impact

Successful exploitation leads only to a denial-of-service (DoS) of the Drupal application, with no impact on confidentiality or integrity. The availability impact is rated as low [1][2].

Mitigation

Drupal has confirmed that the vulnerability does not affect the 10.x series or the latest 9.5.x releases. Users are advised to upgrade to Drupal 10.x or the latest 9.5.x. The Drupal 9 series reached end-of-life (EOL) in November 2023, so no further security patches are provided for that branch [2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

osv-coords2 versions
pkg:bitnami/drupal pkg:composer/drupal/core
>= 9.3.6, < 10.2.6+ 1 more
- (no CPE)range: >= 9.3.6, < 10.2.6
- (no CPE)
Drupal/Drupalv5
Range: prior to 9.5.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-62cf-jvpp-48q6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-22362ghsaADVISORY
jvn.jp/en/jp/JVN63383723ghsaWEB
jvn.jp/en/jp/JVN63383723/mitre
www.drupal.orgmitre
www.drupal.org/about/core/policies/core-release-cycles/schedulemitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000