VYPR

Drupal

by Drupal

Source repositories

CVEs (203)

  • CVE-2015-2750MedSep 13, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.

  • CVE-2016-3166MedApr 12, 2016
    risk 0.38cvss 5.9epss 0.01

    CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data…

  • CVE-2026-6366MedMay 19, 2026
    risk 0.36cvss 6.6epss 0.00

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

  • CVE-2016-6212MedSep 9, 2016
    risk 0.35cvss 5.3epss 0.02

    The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

  • CVE-2016-3170MedApr 12, 2016
    risk 0.35cvss 5.3epss 0.02

    The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits…

  • CVE-2010-5312MedNov 24, 2014
    risk 0.34cvss 6.1epss 0.18

    Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

  • CVE-2026-6367MedMay 19, 2026
    risk 0.33cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

  • CVE-2026-6365MedMay 19, 2026
    risk 0.33cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from…

  • CVE-2015-2749MedSep 13, 2017
    risk 0.33cvss 6.1epss 0.01

    Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

  • CVE-2025-31675MedMar 31, 2025
    risk 0.28cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from…

  • CVE-2015-7880MedSep 13, 2017
    risk 0.28cvss 4.3epss 0.01

    The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.

  • CVE-2016-9449MedNov 25, 2016
    risk 0.28cvss 4.3epss 0.02

    The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

  • CVE-2014-3704Oct 16, 2014
    risk 0.11cvss epss 1.00

    The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

  • CVE-2014-9016Nov 24, 2014
    risk 0.10cvss epss 0.83

    The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

  • CVE-2005-1921Jul 5, 2005
    risk 0.09cvss epss 0.79

    Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)…

  • CVE-2012-4554Nov 11, 2012
    risk 0.04cvss epss 0.16

    The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.

  • CVE-2006-2743Jun 1, 2006
    risk 0.04cvss epss 0.11

    Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.

  • CVE-2007-6752Mar 28, 2012
    risk 0.03cvss epss 0.04

    Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering…

  • CVE-2007-5416Oct 12, 2007
    risk 0.03cvss epss 0.04

    Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a…

  • CVE-2005-2106Jul 5, 2005
    risk 0.03cvss epss 0.03

    Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.

Page 2 of 11