VYPR

Drupal Core

by Drupal

CVEs (52)

  • CVE-2026-9082CriKEVMay 20, 2026
    risk 0.80cvss 9.8epss 0.85

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before…

  • CVE-2020-13671HigKEVNov 20, 2020
    risk 0.70cvss 8.8epss 0.04

    Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0…

  • CVE-2019-6340HigKEVFeb 21, 2019
    risk 0.68cvss 8.1epss 0.92

    Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has…

  • CVE-2017-6920CriAug 6, 2018
    risk 0.65cvss 9.8epss 0.20

    Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.

  • CVE-2024-55638CriDec 10, 2024
    risk 0.64cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2020-13665CriMay 5, 2021
    risk 0.64cvss 9.8epss 0.01

    Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions…

  • CVE-2019-6342CriMay 28, 2020
    risk 0.64cvss 9.8epss 0.02

    An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

  • CVE-2019-6339CriJan 22, 2019
    risk 0.59cvss 9.8epss 0.33

    In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom)…

  • CVE-2024-55637CriDec 10, 2024
    risk 0.57cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2024-55636CriDec 10, 2024
    risk 0.57cvss 9.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2020-13664HigMay 5, 2021
    risk 0.57cvss 8.8epss 0.03

    Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker…

  • CVE-2017-6930HigMar 1, 2018
    risk 0.53cvss 8.1epss 0.01

    In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of…

  • CVE-2017-6926HigMar 1, 2018
    risk 0.53cvss 8.1epss 0.01

    In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be…

  • CVE-2017-6381HigMar 16, 2017
    risk 0.53cvss 8.1epss 0.04

    A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You…

  • CVE-2020-13663HigJun 11, 2021
    risk 0.50cvss 8.8epss 0.01

    Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

  • CVE-2025-31674HigMar 31, 2025
    risk 0.49cvss 7.5epss 0.01

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

  • CVE-2024-11941HigDec 5, 2024
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.

  • CVE-2011-2726HigNov 15, 2019
    risk 0.49cvss 7.5epss 0.02

    An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent…

  • CVE-2017-6379HigMar 16, 2017
    risk 0.49cvss 7.5epss 0.01

    Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

  • CVE-2017-6377HigMar 16, 2017
    risk 0.49cvss 7.5epss 0.02

    When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

Page 1 of 3