Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
736 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8996 | 2 Drupal, Layout Builder Advanced Permissions Project | 2 Drupal, Layout Builder Advanced Permissions | 2025-08-21 | 4.3 Medium |
| Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0. | ||||
| CVE-2025-8995 | 2 Authenticator Login Project, Drupal | 2 Authenticator Login, Drupal | 2025-08-21 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4. | ||||
| CVE-2025-8675 | 2 Ai Seo Link Advisor Project, Drupal | 2 Ai Seo Link Advisor, Drupal | 2025-08-21 | 4.7 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.This issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6. | ||||
| CVE-2025-8361 | 2 Config Pages Project, Drupal | 2 Config Pages, Drupal | 2025-08-21 | 7.6 High |
| Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0. | ||||
| CVE-2025-8362 | 2 Drupal, Googletag Manager Project | 2 Drupal, Googletag Manager | 2025-08-21 | 4.3 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0. | ||||
| CVE-2025-6675 | 2 Drupal, Miniorange | 2 Drupal, Miniorange 2fa | 2025-07-14 | 4.8 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*. | ||||
| CVE-2024-22362 | 1 Drupal | 1 Drupal | 2025-06-20 | 7.5 High |
| Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. | ||||
| CVE-2025-31675 | 1 Drupal | 1 Drupal | 2025-06-02 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. | ||||
| CVE-2025-31673 | 1 Drupal | 1 Drupal | 2025-06-02 | 4.6 Medium |
| Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | ||||
| CVE-2024-55638 | 1 Drupal | 1 Drupal | 2025-06-02 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | ||||
| CVE-2024-55637 | 1 Drupal | 1 Drupal | 2025-06-02 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | ||||
| CVE-2024-55636 | 1 Drupal | 1 Drupal | 2025-06-02 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. | ||||
| CVE-2024-55635 | 1 Drupal | 1 Drupal | 2025-06-02 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102. | ||||
| CVE-2024-55634 | 1 Drupal | 1 Drupal | 2025-06-02 | 8.1 High |
| A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. | ||||
| CVE-2024-12393 | 1 Drupal | 1 Drupal | 2025-06-02 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. | ||||
| CVE-2024-11942 | 1 Drupal | 2 Drupal, Drupal Core | 2025-06-02 | 5.9 Medium |
| A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10. | ||||
| CVE-2024-11941 | 1 Drupal | 2 Drupal, Drupal Core | 2025-06-02 | 7.5 High |
| A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8. | ||||
| CVE-2025-31674 | 1 Drupal | 1 Drupal | 2025-05-01 | 7.5 High |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | ||||
| CVE-2022-24728 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 9 Ckeditor, Drupal, Fedora and 6 more | 2025-04-23 | 5.4 Medium |
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. | ||||
| CVE-2022-24729 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 9 Ckeditor, Drupal, Fedora and 6 more | 2025-04-23 | 6.5 Medium |
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. | ||||