VYPR
Vendor

Backdrop Contrib

Products
8
CVEs
9
Across products
9
Status
Private

Products

8

Recent CVEs

9
  • CVE-2025-27822HigMar 7, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with…

  • CVE-2015-7875HigAug 7, 2017
    risk 0.49cvss 7.5epss 0.01

    ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.

  • CVE-2026-45430HigMay 12, 2026
    risk 0.46cvss 7.1epss 0.00

    The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.

  • CVE-2025-27826MedMar 7, 2025
    risk 0.42cvss 6.4epss 0.00

    An XSS issue was discovered in the Bootstrap Lite theme before 1.x-1.4.5 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.

  • CVE-2025-27825MedMar 7, 2025
    risk 0.42cvss 6.4epss 0.00

    An XSS issue was discovered in the Bootstrap 5 Lite theme before 1.x-1.0.3 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.

  • CVE-2025-27824MedMar 7, 2025
    risk 0.42cvss 6.4epss 0.00

    An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content…

  • CVE-2025-27823MedMar 7, 2025
    risk 0.42cvss 6.4epss 0.00

    An issue was discovered in the Mail Disguise module before 1.x-1.0.5 for Backdrop CMS. It enables a website to obfuscate email addresses, and should prevent spambots from collecting them. The module doesn't sufficiently validate the data attribute value on links, potentially…

  • CVE-2015-3389Apr 21, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Download counts report page in the Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2011-5188Sep 20, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.