Packagist (Composer) package

drupal/core

pkg:composer/drupal/core

Vulnerabilities (91)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-13083		—	>= 8.0.0, < 10.4.9	10.4.9	Nov 18, 2025	Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, fr
CVE-2025-13082		—	>= 8.0.0, < 10.4.9	10.4.9	Nov 18, 2025	User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
CVE-2025-13081		—	>= 8.0.0, < 10.4.9	10.4.9	Nov 18, 2025	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
CVE-2025-13080		—	>= 8.0.0, < 10.4.9	10.4.9	Nov 18, 2025	Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
CVE-2025-31675	Med	5.4	>= 8.0.0, < 10.3.14	10.3.14	Mar 31, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0
CVE-2025-31674		—	>= 8.0.0, < 10.3.13	10.3.13	Mar 31, 2025	Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
CVE-2025-31673		—	>= 8.0.0, < 10.3.13	10.3.13	Mar 31, 2025	Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
CVE-2025-3057		—	>= 8.0.0, < 10.3.13	10.3.13	Mar 31, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0
CVE-2024-55638		—	>= 8.8.0, < 10.2.11	10.2.11	Dec 9, 2024	Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deseri
CVE-2024-55637		—	>= 8.8.0, < 10.2.11	10.2.11	Dec 9, 2024	Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de
CVE-2024-55636		—	>= 8.8.0, < 10.2.11	10.2.11	Dec 9, 2024	Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de
CVE-2024-55634		—	>= 8.0.0, < 10.2.11	10.2.11	Dec 9, 2024	A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-12393		—	>= 8.8.0, < 10.2.11	10.2.11	Dec 9, 2024	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-11942		—	>= 10.0.0, < 10.2.10	10.2.10	Dec 5, 2024	A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
CVE-2024-11941		—	>= 10.1.0, < 10.1.8	10.1.8	Dec 5, 2024	A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
CVE-2024-45440		—	>= 10.3.0, < 10.3.6	10.3.6	Aug 29, 2024	core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
CVE-2024-22362		—	—	—	Jan 16, 2024	Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
CVE-2023-5256		—	>= 8.7.0, < 9.5.11	9.5.11	Sep 28, 2023	In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:AP
CVE-2023-31250		—	>= 10.0.0, < 10.0.8	10.0.8	Apr 26, 2023	The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the releas
CVE-2022-25278		—	>= 8.0.0, < 9.3.19	9.3.19	Apr 26, 2023	Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed

CVE-2025-13083Nov 18, 2025
affected >= 8.0.0, < 10.4.9fixed 10.4.9
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, fr
CVE-2025-13082Nov 18, 2025
affected >= 8.0.0, < 10.4.9fixed 10.4.9
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
CVE-2025-13081Nov 18, 2025
affected >= 8.0.0, < 10.4.9fixed 10.4.9
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
CVE-2025-13080Nov 18, 2025
affected >= 8.0.0, < 10.4.9fixed 10.4.9
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
CVE-2025-31675MedMar 31, 2025
affected >= 8.0.0, < 10.3.14fixed 10.3.14
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0
CVE-2025-31674Mar 31, 2025
affected >= 8.0.0, < 10.3.13fixed 10.3.13
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
CVE-2025-31673Mar 31, 2025
affected >= 8.0.0, < 10.3.13fixed 10.3.13
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
CVE-2025-3057Mar 31, 2025
affected >= 8.0.0, < 10.3.13fixed 10.3.13
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0
CVE-2024-55638Dec 9, 2024
affected >= 8.8.0, < 10.2.11fixed 10.2.11
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deseri
CVE-2024-55637Dec 9, 2024
affected >= 8.8.0, < 10.2.11fixed 10.2.11
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de
CVE-2024-55636Dec 9, 2024
affected >= 8.8.0, < 10.2.11fixed 10.2.11
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure de
CVE-2024-55634Dec 9, 2024
affected >= 8.0.0, < 10.2.11fixed 10.2.11
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-12393Dec 9, 2024
affected >= 8.8.0, < 10.2.11fixed 10.2.11
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-11942Dec 5, 2024
affected >= 10.0.0, < 10.2.10fixed 10.2.10
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
CVE-2024-11941Dec 5, 2024
affected >= 10.1.0, < 10.1.8fixed 10.1.8
A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
CVE-2024-45440Aug 29, 2024
affected >= 10.3.0, < 10.3.6fixed 10.3.6
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
CVE-2024-22362Jan 16, 2024
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
CVE-2023-5256Sep 28, 2023
affected >= 8.7.0, < 9.5.11fixed 9.5.11
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:AP
CVE-2023-31250Apr 26, 2023
affected >= 10.0.0, < 10.0.8fixed 10.0.8
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the releas
CVE-2022-25278Apr 26, 2023
affected >= 8.0.0, < 9.3.19fixed 9.3.19
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed

Page 1 of 5