pkg:Packagist/drupal/core

154 total CVEsCRITICAL23HIGH52MEDIUM75LOW2

✅ Check your installed version

All known vulnerabilities

CRITICAL9.8CVE-2026-9082⚠ KEVDrupal Core SQL Injection Vulnerability
>= 8.9.0, < 10.4.10 | >= 10.5.0, < 10.5.10 | >= 10.6.0, < 10.6.9 | >= 11.0.0, < 11.1.10 | >= 11.2.0, < 11.2.12 | >= 11.3.0, < 11.3.10
CRITICAL9.8CVE-2018-7602⚠ KEVdrupal7 - security update
>= 7.0, < 7.59
CRITICAL9.8CVE-2018-7602⚠ KEVdrupal7 - security update
>= 8.0.0, < 8.4.8 | >= 8.5.0, < 8.5.3
CRITICAL9.8CVE-2018-7600⚠ KEVdrupal7 - security update
>= 8.0.0, < 8.3.9 | >= 8.4.0, < 8.4.6 | >= 8.5.0, < 8.5.1
CRITICAL9.8CVE-2018-7600⚠ KEVdrupal7 - security update
>= 7.0, < 7.58
HIGH8.8CVE-2020-13671⚠ KEVDrupal core Unrestricted Upload of File with Dangerous Type
>= 9.0.0, < 9.0.8
HIGH8.8CVE-2020-13671⚠ KEVDrupal core Unrestricted Upload of File with Dangerous Type
>= 8.0.0, < 8.8.11 | >= 8.9.0, < 8.9.9 | >= 9.0.0, < 9.0.8
HIGH8.1CVE-2019-6340⚠ KEVDrupal Core Remote Code Execution Vulnerability
>= 8.6.0, < 8.6.10
HIGH8.1CVE-2019-6340⚠ KEVDrupal Core Remote Code Execution Vulnerability
>= 8.0.0, < 8.5.11 | >= 8.6.0, < 8.6.10
CRITICAL9.8CVE-2024-55638Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
>= 8.8.0, < 10.2.11
CRITICAL9.8CVE-2024-55638Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9
CRITICAL9.8CVE-2024-55637Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
CRITICAL9.8CVE-2024-55637Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
>= 8.8.0, < 10.2.11
CRITICAL9.8CVE-2024-55636Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
CRITICAL9.8CVE-2024-55636Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
>= 8.8.0, < 10.2.11
CRITICAL9.8CVE-2020-13665Drupal Core Access bypass vulnerability
>= 8.8.0, < 8.8.8
CRITICAL9.8CVE-2017-6920Drupal PECL YAML parser unsafe object handling
>= 8.0, < 8.3.4
CRITICAL9.8CVE-2017-6925Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions
>= 8.0, < 8.3.7
CRITICAL9.8CVE-2011-2715Drupal SQL Injection vulnerability
CRITICAL9.8CVE-2020-13675Unrestricted Upload of File with Dangerous Type in Drupal core
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
CRITICAL9.8CVE-2020-13675Unrestricted Upload of File with Dangerous Type in Drupal core
>= 8.0.0, < 8.9.19
CRITICAL9.8CVE-2019-6342Drupal Improper Access Control
>= 8.7.4, < 8.7.5
CRITICAL9.8CVE-2019-6342Drupal Improper Access Control
>= 8.7.4, < 8.7.5
CRITICAL9.8CVE-2019-11831drupal7 - security update
>= 8.0.0, < 8.6.16 | >= 8.7.0, < 8.7.1
CRITICAL9.8CVE-2019-11831drupal7 - security update
>= 7.0.0, < 7.67.0
CRITICAL9.8CVE-2019-6339drupal7 - security update
>= 8.0.0, < 8.5.9 | >= 8.6.0, < 8.6.6
CRITICAL9.8CVE-2019-6339drupal7 - security update
>= 7.0.0, < 7.62.0
HIGH8.8CVE-2016-6211drupal7 - security update
>= 7.0, < 7.44
HIGH8.8CVE-2020-13664Drupal Core Arbitrary PHP code execution vulnerability
>= 8.0.0, < 8.8.8 | >= 8.9.0, < 8.9.1 | >= 9.0.0, < 9.0.1
HIGH8.8CVE-2020-13664Drupal Core Arbitrary PHP code execution vulnerability
>= 8.8.0, < 8.8.8
HIGH8.8CVE-2020-13663drupal7 - security update
>= 8.9.0, < 8.9.1
HIGH8.8CVE-2020-13663drupal7 - security update
>= 8.0.0, < 8.8.8 | >= 8.9.0, < 8.9.1 | >= 9.0.0, < 9.0.1
HIGH8.1CVE-2024-55634Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
>= 8.0.0, < 10.2.11
HIGH8.1CVE-2024-55634Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
HIGH8.1CVE-2016-3169Drupal saving user accounts can sometimes grant the user all roles
>= 6.0, < 6.38
HIGH8.1CVE-2016-3162drupal7 - security update
>= 7.0, < 7.43
HIGH8.1CVE-2016-3171Drupal arbitrary code execution
>= 6.0, < 6.38
HIGH8.1CVE-2017-6926Drupal Comment reply form allows access to restricted content
>= 8.4.0, < 8.4.5
HIGH8.1CVE-2017-6930Drupal access bypass vulnerability
>= 8.4.0, < 8.4.5
HIGH8.1CVE-2017-6381Drupal Remote code execution
>= 8.0, < 8.2.7
HIGH8.1CVE-2016-5385php5 - security update
>= 8.0, < 8.1.7
HIGH8.0CVE-2022-29248Cross-domain cookie leakage in Guzzle
>= 8.0.0, < 9.2.20 | >= 9.3.0, < 9.3.14
HIGH8.0CVE-2019-6338drupal7 - security update
>= 8.0.0, < 8.5.9 | >= 8.6.0, < 8.6.6
HIGH7.8CVE-2020-28948php-pear - security update
>= 8.0.0, < 8.8.12 | >= 8.9.0, < 8.9.10 | >= 9.0.0, < 9.0.9
HIGH7.5CVE-2025-31674Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
>= 8.0.0, < 10.3.13 | >= 10.4.0, < 10.4.3 | >= 11.0.0, < 11.0.12 | >= 11.1.0, < 11.1.3
HIGH7.5CVE-2025-31674Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
>= 8.0.0, < 10.3.13
HIGH7.5CVE-2024-11941Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
>= 10.1.0, < 10.1.8
HIGH7.5CVE-2024-11941Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
>= 8.0.0, < 10.1.8 | >= 10.2.0, < 10.2.2
HIGH7.5CVE-2024-22362Drupal Denial of Service vulnerability
HIGH7.5CVE-2023-5256Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
>= 8.7.0, < 9.5.11
HIGH7.5CVE-2023-5256Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
>= 8.7.0, < 9.5.11 | >= 10.0.0, < 10.0.11 | >= 10.1.0, < 10.1.4
HIGH7.5CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loader
>= 8.0.0, < 9.3.22 | >= 9.4.0, < 9.4.7
HIGH7.5CVE-2022-25275Drupal core Information Disclosure vulnerability
>= 7.0.0, < 7.91
HIGH7.5CVE-2022-25275Drupal core Information Disclosure vulnerability
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
HIGH7.5CVE-2022-31042Fix failure to strip Authorization header on HTTP downgrade in Guzzle
>= 8.0.0, < 9.2.21 | >= 9.3.0, < 9.3.16
HIGH7.5CVE-2016-3165Drupal Form API ignores access restrictions on submit buttons
>= 6.0, < 6.38
HIGH7.5CVE-2016-3163Drupal Brute force amplification attacks via XML-RPC
>= 7.0, < 7.43
HIGH7.5CVE-2016-9450Drupal Incorrect cache context on password reset page
>= 8.0, < 8.2.3
HIGH7.5CVE-2017-6379Drupal Cross-Site Request Forgery (CSRF)
>= 8.2.0, < 8.2.7
HIGH7.5CVE-2017-6919Drupal access control bypass vulnerability
>= 8.0, < 8.2.8
HIGH7.5CVE-2017-6377Drupal editor module incorrectly checks access to inline private files
>= 8.2.0, < 8.2.7
HIGH7.5CVE-2022-25273Improper input validation in Drupal core
>= 8.0.0, < 9.2.18
HIGH7.5CVE-2022-25273Improper input validation in Drupal core
>= 8.0.0, < 9.2.18 | >= 9.3.0, < 9.3.12
HIGH7.5CVE-2022-25271drupal7 - security update
>= 9.3.0, < 9.3.6
HIGH7.5CVE-2022-25271drupal7 - security update
>= 8.0.0, < 9.2.13 | >= 9.3.0, < 9.3.6
HIGH7.5CVE-2020-13677Drupal core access bypass vulnerability
>= 8.0.0, < 8.9.19
HIGH7.5CVE-2020-13677Drupal core access bypass vulnerability
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
HIGH7.5CVE-2020-13670Exposure of Resource to Wrong Sphere in Drupal Core
>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
HIGH7.5CVE-2020-13670Exposure of Resource to Wrong Sphere in Drupal Core
>= 8.0.0, < 8.8.10
HIGH7.4CVE-2016-3164Drupal Open Redirect
>= 8.0, < 8.0.4
HIGH7.4CVE-2016-3167Drupal Open redirect vulnerability in the drupal_goto function
>= 6.0, < 6.38
HIGH7.4CVE-2017-6924Drupal REST API can bypass comment approval
>= 8.0, < 8.3.7
HIGH7.2CVE-2022-25277Drupal core arbitrary PHP code execution
>= 8.0.0, < 9.3.19
HIGH7.2CVE-2022-25277Drupal core arbitrary PHP code execution
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
HIGH7.1CVE-2021-32610drupal7 - security update
>= 8.0.0, < 8.9.17 | >= 9.1.0, < 9.1.11 | >= 9.2.0, < 9.2.2
MEDIUM6.8CVE-2016-9451Drupal Open Redirect
>= 7.0, < 7.52
MEDIUM6.6CVE-2026-6366Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
>= 8.0.0, < 10.5.9 | >= 10.6.0, < 10.6.7 | >= 11.0.0, < 11.2.11 | >= 11.3.0, < 11.3.7
MEDIUM6.5CVE-2023-31250Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
>= 8.0.0, < 9.4.14 | >= 9.5.0, < 9.5.8 | >= 10.0.0, < 10.0.8
MEDIUM6.5CVE-2023-31250Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
>= 10.0.0, < 10.0.8
MEDIUM6.5CVE-2022-25278Access bypass in Drupal Core
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
MEDIUM6.5CVE-2022-25278Access bypass in Drupal Core
>= 8.0.0, < 9.3.19
MEDIUM6.5CVE-2016-9452Drupal Denial of service via transliterate mechanism
>= 8.0, < 8.2.3
MEDIUM6.5CVE-2017-6931Drupal Settings Tray access bypass
>= 8.4.0, < 8.4.5
MEDIUM6.5CVE-2017-6922drupal7 - security update
>= 7.0, < 7.56
MEDIUM6.5CVE-2022-25270Incorrect authorization in Drupal core
>= 9.3.0, < 9.3.6
MEDIUM6.5CVE-2022-25270Incorrect authorization in Drupal core
>= 8.0.0, < 9.2.13 | >= 9.3.0, < 9.3.6
MEDIUM6.5CVE-2020-13676Incorrect Authorization in Drupal core
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
MEDIUM6.5CVE-2020-13676Incorrect Authorization in Drupal core
>= 8.0.0, < 8.9.19
MEDIUM6.5CVE-2020-13674Cross-Site Request Forgery in Drupal core
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
MEDIUM6.5CVE-2020-13674Cross-Site Request Forgery in Drupal core
>= 8.0.0, < 8.9.19
MEDIUM6.5CVE-2017-6923Missing Authorization in Drupal
>= 8.0, < 8.3.7
MEDIUM6.4CVE-2016-3168Drupal Reflected file download vulnerability
>= 6.0, < 6.38
MEDIUM6.1CVE-2026-6367Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
>= 11.3.0, < 11.3.7
MEDIUM6.1CVE-2026-6365Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
>= 8.0.0, < 10.5.9 | >= 10.6.0, < 10.6.7 | >= 11.0.0, < 11.2.11 | >= 11.3.0, < 11.3.7
MEDIUM6.1CVE-2025-3057Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
>= 8.0.0, < 10.3.13 | >= 10.4.0, < 10.4.3 | >= 11.0.0, < 11.0.12 | >= 11.1.0, < 11.1.3
MEDIUM6.1CVE-2025-3057Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
>= 8.0.0, < 10.3.13
MEDIUM6.1CVE-2022-25276Lack of domain validation in Druple core
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
MEDIUM6.1CVE-2022-25276Lack of domain validation in Druple core
>= 8.0.0, < 9.3.19
MEDIUM6.1CVE-2020-13662drupal7 - security update
>= 7.0.0, < 7.70
MEDIUM6.1CVE-2016-7571Drupal Cross-site scripting (XSS) vulnerability
>= 8.0, < 8.1.10
MEDIUM6.1CVE-2017-6929Drupal cross site scripting vulnerability
>= 7.0, < 7.57
MEDIUM6.1CVE-2017-6927drupal7 - security update
>= 8.4.0, < 8.4.5
MEDIUM6.1CVE-2018-9861Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)
>= 8.5.0, < 8.5.2
MEDIUM6.1CVE-2018-9861Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)
>= 8.0.0, < 8.4.7 | >= 8.5.0, < 8.5.2
MEDIUM6.1CVE-2011-2714Drupal Cross-Site Scripting vulnerability
MEDIUM6.1CVE-2020-13668Access bypass in Drupal Core 8/9
>= 8.0.0, < 8.8.10
MEDIUM6.1CVE-2021-33829ckeditor4 vulnerable to cross-site scripting
>= 7.0.0, < 7.80
MEDIUM6.1CVE-2021-33829ckeditor4 vulnerable to cross-site scripting
>= 8.0.0, < 8.9.16 | >= 9.0.0, < 9.0.14 | >= 9.1.0, < 9.1.9
MEDIUM6.1CVE-2020-13672drupal7 - security update
>= 7.0.0, < 7.80
MEDIUM6.1CVE-2020-13672drupal7 - security update
>= 8.0.0, < 8.9.14 | >= 9.0.0, < 9.0.12 | >= 9.1.0, < 9.1.7
MEDIUM6.1CVE-2020-13669Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
MEDIUM6.1CVE-2020-13669Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
>= 8.0.0, < 8.8.10
MEDIUM6.1CVE-2020-13688Drupal Core Cross-site scripting vulnerability
>= 8.8.0, < 8.8.10
MEDIUM6.1CVE-2020-13688Drupal Core Cross-site scripting vulnerability
>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
MEDIUM6.1CVE-2020-13666drupal7 - security update
>= 8.8.0, < 8.8.10
MEDIUM6.1CVE-2020-13666drupal7 - security update
>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
MEDIUM6.1CVE-2019-11358XSS in jQuery as used in Drupal, Backdrop CMS, and other products
>= 8.0.0, < 8.5.15 | >= 8.6.0, < 8.6.15
MEDIUM5.9CVE-2025-13081Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
>= 8.0.0, < 10.4.9
MEDIUM5.9CVE-2025-13081Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
>= 8.0.0, < 10.4.9 | >= 10.5.0, < 10.5.6 | >= 11.0.0, < 11.1.9 | >= 11.2.0, < 11.2.8
MEDIUM5.9CVE-2024-11942Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
>= 10.0.0, < 10.2.10
MEDIUM5.9CVE-2024-11942Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
>= 10.0.0, < 10.2.10
MEDIUM5.9CVE-2016-3166Drupal CRLF injection vulnerability in the drupal_set_header function
>= 6.0, < 6.38
MEDIUM5.9CVE-2017-6921Drupal file REST resource does not properly validate
>= 8.0, < 8.3.4
MEDIUM5.4CVE-2025-31675Drupal Core Cross-Site Scripting (XSS) Vulnerability
>= 8.0.0, < 10.3.14
MEDIUM5.4CVE-2025-31675Drupal Core Cross-Site Scripting (XSS) Vulnerability
>= 8.0.0, < 10.3.14 | >= 10.4.0, < 10.4.5 | >= 11.0.0, < 11.0.13 | >= 11.1.0, < 11.1.5
MEDIUM5.4CVE-2024-12393Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
>= 8.8.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
MEDIUM5.4CVE-2024-12393Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
>= 8.8.0, < 10.2.11
MEDIUM5.4CVE-2022-25274Access bypass in Drupal core
>= 9.3.0, < 9.3.12
MEDIUM5.4CVE-2022-25274Access bypass in Drupal core
>= 9.3.0, < 9.3.12
MEDIUM5.4CVE-2022-24728Cross-site Scripting in CKEditor4
>= 8.0.0, < 9.2.15 | >= 9.3.0, < 9.3.8
MEDIUM5.4CVE-2019-10909symfony - security update
>= 8.0.0, < 8.5.15
MEDIUM5.4CVE-2019-6341drupal7 - security update
>= 7.0.0, < 7.65.0
MEDIUM5.4CVE-2019-6341drupal7 - security update
>= 8.0.0, < 8.5.14 | >= 8.6.0, < 8.6.13
MEDIUM5.3CVE-2025-13080Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
>= 8.0.0, < 10.4.9
MEDIUM5.3CVE-2025-13080Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
>= 8.0.0, < 10.4.9 | >= 10.5.0, < 10.5.6 | >= 11.0.0, < 11.1.9 | >= 11.2.0, < 11.2.8
MEDIUM5.3CVE-2024-45440Drupal Full Path Disclosure
>= 10.3.0, < 10.3.6
MEDIUM5.3CVE-2016-3170Drupal sensitive information disclosure
>= 7.0, < 7.43
MEDIUM5.3CVE-2016-6212Drupal Views can allow unauthorized users to see Statistics information
>= 8.0, < 8.1.3
MEDIUM5.3CVE-2017-6928Drupal access bypass vulnerability
>= 7.0, < 7.57
MEDIUM5.3CVE-2022-24775Improper Input Validation in guzzlehttp/psr7
>= 8.0.0, < 9.2.16 | >= 9.3.0, < 9.3.9
MEDIUM5.3CVE-2020-13667Drupal Core Access bypass vulnerability
>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
MEDIUM5.3CVE-2020-13667Drupal Core Access bypass vulnerability
>= 8.8.0, < 8.8.10
MEDIUM4.7CVE-2017-6932Drupal external link injection vulnerability
>= 7.0, < 7.57
MEDIUM4.6CVE-2025-31673Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
>= 8.0.0, < 10.3.13 | >= 10.4.0, < 10.4.3 | >= 11.0.0, < 11.0.12 | >= 11.1.0, < 11.1.3
MEDIUM4.6CVE-2025-31673Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
>= 8.0.0, < 10.3.13
MEDIUM4.3CVE-2025-13082Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
>= 8.0.0, < 10.4.9 | >= 10.5.0, < 10.5.6 | >= 11.0.0, < 11.1.9 | >= 11.2.0, < 11.2.8
MEDIUM4.3CVE-2025-13082Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
>= 8.0.0, < 10.4.9
MEDIUM4.3CVE-2016-7570Drupal Users without "Administer comments" can set comment visibility on nodes they can edit
>= 8.0.0, < 8.1.10
MEDIUM4.3CVE-2016-7572Drupal Unprivileged access to config export
>= 8.0, < 8.1.10
MEDIUM4.3CVE-2016-9449drupal7 - security update
>= 7.0, < 7.52
LOW3.7CVE-2025-13083Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
>= 8.0.0, < 10.4.9
LOW3.7CVE-2025-13083Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
>= 8.0.0, < 10.4.9 | >= 10.5.0, < 10.5.6 | >= 11.0.0, < 11.1.9 | >= 11.2.0, < 11.2.8
—CVE-2011-2687Drupal Access Control Bypass
>= 7.0, < 7.3
—CVE-2020-13673The Drupal core Media module allows embedding internal and external media in content fields.
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6