Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 721 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-6381 1 Drupal 1 Drupal 2025-04-20 6.8 MEDIUM 8.1 HIGH
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments
CVE-2025-3057 1 Drupal 1 Drupal 2025-04-15 N/A 6.1 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
CVE-2016-9450 1 Drupal 1 Drupal 2025-04-12 5.0 MEDIUM 7.5 HIGH
The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.
CVE-2016-3170 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 5.0 MEDIUM 5.3 MEDIUM
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
CVE-2015-3233 1 Drupal 1 Drupal 2025-04-12 5.8 MEDIUM N/A
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2016-3171 3 Debian, Drupal, Php 3 Debian Linux, Drupal, Php 2025-04-12 6.8 MEDIUM 8.1 HIGH
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
CVE-2014-2983 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 5.0 MEDIUM N/A
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.
CVE-2013-4177 2 Drupal, Google Authenticator Login Project 2 Drupal, Ga Login 2025-04-12 5.0 MEDIUM N/A
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors.
CVE-2015-6658 1 Drupal 1 Drupal 2025-04-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.
CVE-2013-4178 2 Drupal, Google Authenticator Login Project 2 Drupal, Ga Login 2025-04-12 5.0 MEDIUM N/A
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP).
CVE-2016-6211 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 6.5 MEDIUM 8.8 HIGH
The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.
CVE-2014-5019 1 Drupal 1 Drupal 2025-04-12 5.0 MEDIUM N/A
The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.
CVE-2013-1946 2 Drupal, Restful Web Services Project 2 Drupal, Restful Web Services 2025-04-12 4.3 MEDIUM N/A
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
CVE-2014-5267 1 Drupal 1 Drupal 2025-04-12 6.8 MEDIUM N/A
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.
CVE-2014-9016 3 Debian, Drupal, Secure Password Hashes Project 3 Debian Linux, Drupal, Secure Passwords Hashes 2025-04-12 5.0 MEDIUM N/A
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
CVE-2015-8095 2 Drupal, Monster Menus Module Project 2 Drupal, Monster Menus 2025-04-12 5.0 MEDIUM N/A
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.
CVE-2016-7571 1 Drupal 1 Drupal 2025-04-12 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.
CVE-2015-6661 1 Drupal 1 Drupal 2025-04-12 5.0 MEDIUM N/A
Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.
CVE-2013-4498 2 Drupal, Florian Weber 2 Drupal, Spaces 2025-04-12 2.1 LOW N/A
The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content.
CVE-2015-2559 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 3.5 LOW N/A
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.