Vendor CVEs
Drupal
All CVEs
1,207 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4093 | Med | 0.35 | 5.4 | 0.00 | May 21, 2026 | In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term… | ||
| CVE-2017-6928 | Med | 0.35 | 5.3 | 0.01 | Mar 1, 2018 | Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to… | ||
| CVE-2015-7878 | Med | 0.35 | 5.4 | 0.01 | Nov 6, 2017 | Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names. | ||
| CVE-2015-7879 | Med | 0.35 | 5.4 | 0.01 | Sep 11, 2017 | Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x before 7.x-1.3 for Drupal allows remote authenticated users with permission to create or edit a stickynote to inject arbitrary web script or HTML via note text on the admin listing page. | ||
| CVE-2016-6212 | Med | 0.35 | 5.3 | 0.02 | Sep 9, 2016 | The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors. | ||
| CVE-2016-3144 | Med | 0.35 | 5.4 | 0.01 | Apr 15, 2016 | Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name. | ||
| CVE-2016-3170 | Med | 0.35 | 5.3 | 0.02 | Apr 12, 2016 | The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits… | ||
| CVE-2026-3526 | Med | 0.34 | 5.3 | 0.00 | Mar 26, 2026 | Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0. | ||
| CVE-2026-3525 | Med | 0.34 | 5.3 | 0.00 | Mar 26, 2026 | Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0. | ||
| CVE-2010-5312 | Med | 0.34 | 6.1 | 0.18 | Nov 24, 2014 | Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. | ||
| CVE-2026-6367 | Med | 0.33 | 6.1 | 0.00 | May 19, 2026 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7. | ||
| CVE-2026-6365 | Med | 0.33 | 6.1 | 0.00 | May 19, 2026 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from… | ||
| CVE-2023-6923 | Med | 0.33 | 6.1 | 0.01 | Feb 29, 2024 | The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it… | ||
| CVE-2015-2749 | Med | 0.33 | 6.1 | 0.01 | Sep 13, 2017 | Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. | ||
| CVE-2026-3213 | Med | 0.31 | 4.7 | 0.00 | Mar 25, 2026 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0. | ||
| CVE-2017-6932 | Med | 0.31 | 4.7 | 0.01 | Mar 1, 2018 | Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly… | ||
| CVE-2026-0748 | Med | 0.28 | 4.3 | 0.00 | Mar 26, 2026 | In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses… | ||
| CVE-2025-31675 | Med | 0.28 | 5.4 | 0.00 | Mar 31, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from… | ||
| CVE-2024-38766 | Med | 0.28 | 4.3 | 0.00 | Jan 2, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in matomoteam Matomo Analytics matomo allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through <= 5.1.1. | ||
| CVE-2015-7880 | Med | 0.28 | 4.3 | 0.01 | Sep 13, 2017 | The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames. | ||
| CVE-2016-9449 | Med | 0.28 | 4.3 | 0.02 | Nov 25, 2016 | The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. | ||
| CVE-2026-6816 | Low | 0.25 | 3.8 | 0.00 | May 28, 2026 | An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2. | ||
| CVE-2026-8491 | Low | 0.24 | 3.7 | 0.00 | May 19, 2026 | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1. | ||
| CVE-2026-8492 | Low | 0.18 | 2.7 | 0.00 | May 19, 2026 | Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5. | ||
| CVE-2019-6340 | 0.16 | — | 0.92 | KEV | Feb 21, 2019 | Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has… | ||
| CVE-2020-13671 | 0.12 | — | 0.04 | KEV | Nov 20, 2020 | Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0… | ||
| CVE-2014-3704 | 0.11 | — | 1.00 | Oct 16, 2014 | The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. | |||
| CVE-2014-9016 | 0.10 | — | 0.83 | Nov 24, 2014 | The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. | |||
| CVE-2005-1921 | 0.09 | — | 0.79 | Jul 5, 2005 | Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)… | |||
| CVE-2012-4554 | 0.04 | — | 0.16 | Nov 11, 2012 | The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file. | |||
| CVE-2006-2743 | 0.04 | — | 0.11 | Jun 1, 2006 | Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory. | |||
| CVE-2024-45440 | 0.03 | — | 0.09 | Aug 29, 2024 | core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. | |||
| CVE-2007-6752 | 0.03 | — | 0.04 | Mar 28, 2012 | Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering… | |||
| CVE-2009-4429 | 0.03 | — | 0.03 | Dec 28, 2009 | Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field). | |||
| CVE-2008-5998 | 0.03 | — | 0.01 | Jan 28, 2009 | Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a save operation, related to… | |||
| CVE-2008-2629 | 0.03 | — | 0.02 | Jun 10, 2008 | SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php. | |||
| CVE-2007-5416 | 0.03 | — | 0.04 | Oct 12, 2007 | Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a… | |||
| CVE-2006-2884 | 0.03 | — | 0.01 | Jun 7, 2006 | SQL injection vulnerability in index.php in Kmita FAQ 1.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter. | |||
| CVE-2006-2883 | 0.03 | — | 0.02 | Jun 7, 2006 | Cross-site scripting (XSS) vulnerability in search.php in Kmita FAQ 1.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter. | |||
| CVE-2005-2106 | 0.03 | — | 0.03 | Jul 5, 2005 | Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting. | |||
| CVE-2002-1806 | 0.03 | — | 0.04 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag. | |||
| CVE-2020-35191 | 0.02 | — | 0.05 | Dec 17, 2020 | The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank… | |||
| CVE-2024-55638 | 0.01 | — | 0.01 | Dec 9, 2024 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure… | |||
| CVE-2012-2714 | 0.01 | — | 0.03 | Jan 9, 2020 | The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users via the audience identifier. | |||
| CVE-2026-58587 | 0.00 | — | — | Jul 1, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-58588 | 0.00 | — | — | Jul 1, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-58589 | 0.00 | — | — | Jul 1, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-58590 | 0.00 | — | — | Jul 1, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-58591 | 0.00 | — | — | Jul 1, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. | |||
| CVE-2026-55807 | 0.00 | — | — | Jun 18, 2026 | Mentioned in Drupal. See https://www.drupal.org/security for vendor details. |
- risk 0.35cvss 5.4epss 0.00
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term…
- risk 0.35cvss 5.3epss 0.01
Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to…
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x before 7.x-1.3 for Drupal allows remote authenticated users with permission to create or edit a stickynote to inject arbitrary web script or HTML via note text on the admin listing page.
- risk 0.35cvss 5.3epss 0.02
The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name.
- risk 0.35cvss 5.3epss 0.02
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits…
- risk 0.34cvss 5.3epss 0.00
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
- risk 0.34cvss 5.3epss 0.00
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
- risk 0.34cvss 6.1epss 0.18
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
- risk 0.33cvss 6.1epss 0.00
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
- risk 0.33cvss 6.1epss 0.00
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from…
- risk 0.33cvss 6.1epss 0.01
The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it…
- risk 0.33cvss 6.1epss 0.01
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
- risk 0.31cvss 4.7epss 0.00
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.
- risk 0.31cvss 4.7epss 0.01
Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly…
- risk 0.28cvss 4.3epss 0.00
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses…
- risk 0.28cvss 5.4epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from…
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in matomoteam Matomo Analytics matomo allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through <= 5.1.1.
- risk 0.28cvss 4.3epss 0.01
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.
- risk 0.28cvss 4.3epss 0.02
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
- risk 0.25cvss 3.8epss 0.00
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
- risk 0.24cvss 3.7epss 0.00
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
- risk 0.18cvss 2.7epss 0.00
Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
- risk 0.16cvss —epss 0.92
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has…
- risk 0.12cvss —epss 0.04
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0…
- CVE-2014-3704Oct 16, 2014risk 0.11cvss —epss 1.00
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
- CVE-2014-9016Nov 24, 2014risk 0.10cvss —epss 0.83
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
- CVE-2005-1921Jul 5, 2005risk 0.09cvss —epss 0.79
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)…
- CVE-2012-4554Nov 11, 2012risk 0.04cvss —epss 0.16
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
- CVE-2006-2743Jun 1, 2006risk 0.04cvss —epss 0.11
Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.
- CVE-2024-45440Aug 29, 2024risk 0.03cvss —epss 0.09
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
- CVE-2007-6752Mar 28, 2012risk 0.03cvss —epss 0.04
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering…
- CVE-2009-4429Dec 28, 2009risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).
- CVE-2008-5998Jan 28, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a save operation, related to…
- CVE-2008-2629Jun 10, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php.
- CVE-2007-5416Oct 12, 2007risk 0.03cvss —epss 0.04
Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a…
- CVE-2006-2884Jun 7, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Kmita FAQ 1.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter.
- CVE-2006-2883Jun 7, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in search.php in Kmita FAQ 1.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter.
- CVE-2005-2106Jul 5, 2005risk 0.03cvss —epss 0.03
Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
- CVE-2002-1806Dec 31, 2002risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
- CVE-2020-35191Dec 17, 2020risk 0.02cvss —epss 0.05
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…
- CVE-2024-55638Dec 9, 2024risk 0.01cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure…
- CVE-2012-2714Jan 9, 2020risk 0.01cvss —epss 0.03
The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users via the audience identifier.
- CVE-2026-58587Jul 1, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-58588Jul 1, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-58589Jul 1, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-58590Jul 1, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-58591Jul 1, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
- CVE-2026-55807Jun 18, 2026risk 0.00cvss —epss —
Mentioned in Drupal. See https://www.drupal.org/security for vendor details.
Page 2 of 25