Drupal
by Drupal
Source repositories
CVEs (203)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-1806 | 0.03 | — | 0.04 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag. | |||
| CVE-2020-35191 | 0.02 | — | 0.05 | Dec 17, 2020 | The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | |||
| CVE-2026-55807 | 0.00 | — | — | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-11908 | 0.00 | — | — | Jun 10, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-11909 | 0.00 | — | — | Jun 10, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-11913 | 0.00 | — | — | Jun 10, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-11914 | 0.00 | — | — | Jun 10, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-11915 | 0.00 | — | — | Jun 10, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-10768 | 0.00 | — | — | Jun 3, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-49977 | 0.00 | — | — | Jun 3, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-10769 | 0.00 | — | — | Jun 3, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-10770 | 0.00 | — | — | Jun 3, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2025-12848 | 0.00 | — | 0.00 | Nov 26, 2025 | Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img… | |||
| CVE-2024-34481 | 0.00 | — | 0.01 | Jul 5, 2024 | drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page. | |||
| CVE-2024-22362 | 0.00 | — | 0.01 | Jan 16, 2024 | Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. | |||
| CVE-2019-6342 | 0.00 | — | 0.02 | May 28, 2020 | An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. | |||
| CVE-2011-2726 | 0.00 | — | 0.02 | Nov 15, 2019 | An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent… | |||
| CVE-2010-2473 | 0.00 | — | 0.01 | Nov 7, 2019 | Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | |||
| CVE-2010-2472 | 0.00 | — | 0.01 | Nov 7, 2019 | Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This… | |||
| CVE-2010-2250 | 0.00 | — | 0.01 | Nov 7, 2019 | Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. |
- CVE-2002-1806Dec 31, 2002risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
- CVE-2020-35191Dec 17, 2020risk 0.02cvss —epss 0.05
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- CVE-2026-55807Jun 18, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-11908Jun 10, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-11909Jun 10, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-11913Jun 10, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-11914Jun 10, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-11915Jun 10, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-10768Jun 3, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-49977Jun 3, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-10769Jun 3, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-10770Jun 3, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2025-12848Nov 26, 2025risk 0.00cvss —epss 0.00
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img…
- CVE-2024-34481Jul 5, 2024risk 0.00cvss —epss 0.01
drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page.
- CVE-2024-22362Jan 16, 2024risk 0.00cvss —epss 0.01
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
- CVE-2019-6342May 28, 2020risk 0.00cvss —epss 0.02
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
- CVE-2011-2726Nov 15, 2019risk 0.00cvss —epss 0.02
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent…
- CVE-2010-2473Nov 7, 2019risk 0.00cvss —epss 0.01
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
- CVE-2010-2472Nov 7, 2019risk 0.00cvss —epss 0.01
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This…
- CVE-2010-2250Nov 7, 2019risk 0.00cvss —epss 0.01
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
Page 3 of 11