VYPR

Vendor CVEs

Drupal

All CVEs

1,207 total · sorted by risk
  • CVE-2026-4093MedMay 21, 2026
    risk 0.35cvss 5.4epss 0.00

    In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term…

  • CVE-2017-6928MedMar 1, 2018
    risk 0.35cvss 5.3epss 0.01

    Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to…

  • CVE-2015-7878MedNov 6, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.

  • CVE-2015-7879MedSep 11, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x before 7.x-1.3 for Drupal allows remote authenticated users with permission to create or edit a stickynote to inject arbitrary web script or HTML via note text on the admin listing page.

  • CVE-2016-6212MedSep 9, 2016
    risk 0.35cvss 5.3epss 0.02

    The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

  • CVE-2016-3144MedApr 15, 2016
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name.

  • CVE-2016-3170MedApr 12, 2016
    risk 0.35cvss 5.3epss 0.02

    The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits…

  • CVE-2026-3526MedMar 26, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

  • CVE-2026-3525MedMar 26, 2026
    risk 0.34cvss 5.3epss 0.00

    Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

  • CVE-2010-5312MedNov 24, 2014
    risk 0.34cvss 6.1epss 0.18

    Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

  • CVE-2026-6367MedMay 19, 2026
    risk 0.33cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

  • CVE-2026-6365MedMay 19, 2026
    risk 0.33cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from…

  • CVE-2023-6923MedFeb 29, 2024
    risk 0.33cvss 6.1epss 0.01

    The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it…

  • CVE-2015-2749MedSep 13, 2017
    risk 0.33cvss 6.1epss 0.01

    Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

  • CVE-2026-3213MedMar 25, 2026
    risk 0.31cvss 4.7epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.

  • CVE-2017-6932MedMar 1, 2018
    risk 0.31cvss 4.7epss 0.01

    Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly…

  • CVE-2026-0748MedMar 26, 2026
    risk 0.28cvss 4.3epss 0.00

    In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses…

  • CVE-2025-31675MedMar 31, 2025
    risk 0.28cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from…

  • CVE-2024-38766MedJan 2, 2025
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in matomoteam Matomo Analytics matomo allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through <= 5.1.1.

  • CVE-2015-7880MedSep 13, 2017
    risk 0.28cvss 4.3epss 0.01

    The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.

  • CVE-2016-9449MedNov 25, 2016
    risk 0.28cvss 4.3epss 0.02

    The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

  • CVE-2026-6816LowMay 28, 2026
    risk 0.25cvss 3.8epss 0.00

    An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.

  • CVE-2026-8491LowMay 19, 2026
    risk 0.24cvss 3.7epss 0.00

    Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.

  • CVE-2026-8492LowMay 19, 2026
    risk 0.18cvss 2.7epss 0.00

    Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.

  • CVE-2019-6340KEVFeb 21, 2019
    risk 0.16cvss epss 0.92

    Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has…

  • CVE-2020-13671KEVNov 20, 2020
    risk 0.12cvss epss 0.04

    Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0…

  • CVE-2014-3704Oct 16, 2014
    risk 0.11cvss epss 1.00

    The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

  • CVE-2014-9016Nov 24, 2014
    risk 0.10cvss epss 0.83

    The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

  • CVE-2005-1921Jul 5, 2005
    risk 0.09cvss epss 0.79

    Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)…

  • CVE-2012-4554Nov 11, 2012
    risk 0.04cvss epss 0.16

    The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.

  • CVE-2006-2743Jun 1, 2006
    risk 0.04cvss epss 0.11

    Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.

  • CVE-2024-45440Aug 29, 2024
    risk 0.03cvss epss 0.09

    core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

  • CVE-2007-6752Mar 28, 2012
    risk 0.03cvss epss 0.04

    Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering…

  • CVE-2009-4429Dec 28, 2009
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).

  • CVE-2008-5998Jan 28, 2009
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a save operation, related to…

  • CVE-2008-2629Jun 10, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php.

  • CVE-2007-5416Oct 12, 2007
    risk 0.03cvss epss 0.04

    Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a…

  • CVE-2006-2884Jun 7, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Kmita FAQ 1.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2006-2883Jun 7, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in search.php in Kmita FAQ 1.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter.

  • CVE-2005-2106Jul 5, 2005
    risk 0.03cvss epss 0.03

    Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.

  • CVE-2002-1806Dec 31, 2002
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.

  • CVE-2020-35191Dec 17, 2020
    risk 0.02cvss epss 0.05

    The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank…

  • CVE-2024-55638Dec 9, 2024
    risk 0.01cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2012-2714Jan 9, 2020
    risk 0.01cvss epss 0.03

    The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users via the audience identifier.

  • CVE-2026-58587Jul 1, 2026
    risk 0.00cvss epss

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-58588Jul 1, 2026
    risk 0.00cvss epss

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-58589Jul 1, 2026
    risk 0.00cvss epss

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-58590Jul 1, 2026
    risk 0.00cvss epss

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-58591Jul 1, 2026
    risk 0.00cvss epss

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

  • CVE-2026-55807Jun 18, 2026
    risk 0.00cvss epss

    Mentioned in Drupal. See https://www.drupal.org/security for vendor details.

Page 2 of 25