Package impact

Packagist / drupal/core

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-9082	critical	9.8	10.0	7d ago	Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
CVE-2018-7602	critical	—	10.0	8y ago	A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
CVE-2018-7600	critical	—	10.0	8y ago	Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.
CVE-2020-13672	critical	—	9.5	5y ago	Drupal core Cross-site Scripting (XSS) vulnerability
CVE-2016-6211	high	8.8	8.8	10y ago	Drupal Saving user accounts can sometimes grant the user all roles
CVE-2017-6381	high	8.1	8.1	9y ago	Drupal Remote code execution
CVE-2016-5385	high	8.1	8.1	10y ago	HTTP Proxy header vulnerability	+1
CVE-2016-3171	high	8.1	8.1	10y ago	Drupal arbitrary code execution
CVE-2016-3169	high	8.1	8.1	10y ago	Drupal saving user accounts can sometimes grant the user all roles
CVE-2016-3162	high	8.1	8.1	10y ago	Drupal File upload access bypass and denial of service
CVE-2020-13675	high	—	8.0	5y ago	Unrestricted Upload of File with Dangerous Type in Drupal core
CVE-2020-13673	high	—	8.0	5y ago	The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it i…
CVE-2020-13677	high	—	8.0	5y ago	Drupal core access bypass vulnerability
CVE-2020-13676	high	—	8.0	5y ago	Incorrect Authorization in Drupal core
CVE-2020-13674	high	—	8.0	5y ago	Cross-Site Request Forgery in Drupal core
CVE-2021-33829	high	—	8.0	5y ago	ckeditor4 vulnerable to cross-site scripting	+1
CVE-2017-6919	high	7.5	7.5	9y ago	Drupal access control bypass vulnerability
CVE-2017-6379	high	7.5	7.5	9y ago	Drupal Cross-Site Request Forgery (CSRF)
CVE-2017-6377	high	7.5	7.5	9y ago	Drupal editor module incorrectly checks access to inline private files
CVE-2016-9450	high	7.5	7.5	10y ago	Drupal Incorrect cache context on password reset page
CVE-2016-3165	high	7.5	7.5	10y ago	Drupal Form API ignores access restrictions on submit buttons
CVE-2016-3163	high	7.5	7.5	10y ago	Drupal Brute force amplification attacks via XML-RPC
CVE-2011-2687	high	—	7.5	15y ago	Drupal Access Control Bypass
CVE-2016-3167	high	7.4	7.4	10y ago	Drupal Open redirect vulnerability in the drupal_goto function
CVE-2016-3164	high	7.4	7.4	10y ago	Drupal Open Redirect
CVE-2020-28949	medium	—	7.0	6y ago	Moderate: php:7.4 security update
CVE-2016-9451	medium	6.8	6.8	10y ago	Drupal Open Redirect
CVE-2026-6366	medium	6.6	6.6	8d ago	Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a …
CVE-2016-9452	medium	6.5	6.5	10y ago	Drupal Denial of service via transliterate mechanism
CVE-2016-3168	medium	6.4	6.4	10y ago	Drupal Reflected file download vulnerability
CVE-2026-6367	medium	6.1	6.1	8d ago	Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross s…
CVE-2026-6365	medium	6.1	6.1	8d ago	Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.
CVE-2016-7571	medium	6.1	6.1	10y ago	Drupal Cross-site scripting (XSS) vulnerability
CVE-2016-3166	medium	5.9	5.9	10y ago	Drupal CRLF injection vulnerability in the drupal_set_header function
CVE-2021-32610	medium	—	5.5	5y ago	Moderate: php:7.4 security, bug fix, and enhancement update
CVE-2020-28948	medium	—	5.5	6y ago	Moderate: php:7.4 security update
CVE-2019-11358	medium	—	5.5	7y ago	Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update	+5
CVE-2016-6212	medium	5.3	5.3	10y ago	Drupal Views can allow unauthorized users to see Statistics information
CVE-2016-3170	medium	5.3	5.3	10y ago	Drupal sensitive information disclosure
CVE-2016-9449	medium	4.3	4.3	10y ago	Drupal sensitive information disclosure
CVE-2016-7572	medium	4.3	4.3	10y ago	Drupal Unprivileged access to config export
CVE-2016-7570	medium	4.3	4.3	10y ago	Drupal Users without "Administer comments" can set comment visibility on nodes they can edit
CVE-2020-13671	unknown	—	1.5	6y ago	Improper sanitization in the extension file names is present in Drupal core.
CVE-2019-6340	unknown	—	1.5	7y ago	In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
CVE-2025-13083	unknown	—	—	7mo ago	Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
CVE-2025-13082	unknown	—	—	7mo ago	Drupal core allows Content Spoofing
CVE-2025-13081	unknown	—	—	7mo ago	Drupal core allows Object Injection
CVE-2025-13080	unknown	—	—	7mo ago	Drupal core allows Forceful Browsing
CVE-2025-31675	unknown	—	—	1y ago	Drupal Core Cross-Site Scripting (XSS) Vulnerability
CVE-2025-31674	unknown	—	—	1y ago	Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
CVE-2025-31673	unknown	—	—	1y ago	Drupal Core Vulnerable to Forceful Browsing
CVE-2025-3057	unknown	—	—	1y ago	Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
CVE-2024-55638	unknown	—	—	2y ago	Drupal core contains a potential PHP Object Injection vulnerability
CVE-2024-55637	unknown	—	—	2y ago	Drupal core contains a potential PHP Object Injection vulnerability
CVE-2024-55636	unknown	—	—	2y ago	Drupal core contains a potential PHP Object Injection vulnerability
CVE-2024-55634	unknown	—	—	2y ago	Drupal core Access bypass
CVE-2024-12393	unknown	—	—	2y ago	Drupal Core Cross-Site Scripting (XSS)
CVE-2024-11942	unknown	—	—	2y ago	Drupal core vulnerable to improper error handling
CVE-2024-45440	unknown	—	—	2y ago	Drupal Full Path Disclosure
CVE-2024-11941	unknown	—	—	2y ago	Drupal core Denial of Service
CVE-2024-22362	unknown	—	—	2y ago	Drupal Denial of Service vulnerability
CVE-2023-5256	unknown	—	—	3y ago	Cache poisoning in drupal/core
CVE-2023-31250	unknown	—	—	3y ago	Access bypass in Drupal core
CVE-2022-39261	unknown	—	—	4y ago	Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us…
CVE-2022-25276	unknown	—	—	4y ago	Lack of domain validation in Druple core
CVE-2022-25277	unknown	—	—	4y ago	Drupal core arbitrary PHP code execution
CVE-2022-25278	unknown	—	—	4y ago	Access bypass in Drupal Core
CVE-2022-25275	unknown	—	—	4y ago	Drupal core Information Disclosure vulnerability
CVE-2022-31043	unknown	—	—	4y ago	Fix failure to strip Authorization header on HTTP downgrade
CVE-2022-31042	unknown	—	—	4y ago	Fix failure to strip Authorization header on HTTP downgrade
CVE-2022-29248	unknown	—	—	4y ago	Cross-domain cookie leakage in Guzzle
CVE-2020-13665	unknown	—	—	4y ago	Drupal Core Access bypass vulnerability
CVE-2020-13662	unknown	—	—	4y ago	Drupal Core Open Redirect vulnerability
CVE-2017-6929	unknown	—	—	4y ago	Drupal cross site scripting vulnerability
CVE-2017-6932	unknown	—	—	4y ago	Drupal external link injection vulnerability
CVE-2017-6927	unknown	—	—	4y ago	Drupal cross-site scripting vulnerability
CVE-2017-6926	unknown	—	—	4y ago	Drupal Comment reply form allows access to restricted content
CVE-2017-6920	unknown	—	—	4y ago	Drupal PECL YAML parser unsafe object handling
CVE-2018-9861	unknown	—	—	4y ago	Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)
CVE-2017-6931	unknown	—	—	4y ago	Drupal Settings Tray access bypass
CVE-2017-6925	unknown	—	—	4y ago	Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions
CVE-2017-6928	unknown	—	—	4y ago	Drupal access bypass vulnerability
CVE-2017-6930	unknown	—	—	4y ago	Drupal access bypass vulnerability
CVE-2017-6924	unknown	—	—	4y ago	Drupal REST API can bypass comment approval
CVE-2017-6922	unknown	—	—	4y ago	Drupal core access bypass vulnerability
CVE-2017-6921	unknown	—	—	4y ago	Drupal file REST resource does not properly validate
CVE-2011-2714	unknown	—	—	4y ago	Drupal Cross-Site Scripting vulnerability
CVE-2011-2715	unknown	—	—	4y ago	Drupal SQL Injection vulnerability
CVE-2022-25274	unknown	—	—	4y ago	Access bypass in Drupal core
CVE-2022-25273	unknown	—	—	4y ago	Improper input validation in Drupal core
CVE-2022-24775	unknown	—	—	4y ago	Improper Input Validation in guzzlehttp/psr7
CVE-2022-24729	unknown	—	—	4y ago	The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/cked…
CVE-2022-24728	unknown	—	—	4y ago	The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/cked…
CVE-2022-25270	unknown	—	—	4y ago	Incorrect authorization in Drupal core
CVE-2022-25271	unknown	—	—	4y ago	Improper input validation in Drupal core
CVE-2020-13668	unknown	—	—	4y ago	Cross-site Scripting in Drupal Core
CVE-2020-13670	unknown	—	—	6y ago	Exposure of Resource to Wrong Sphere in Drupal Core
CVE-2020-13667	unknown	—	—	6y ago	Drupal Core Access bypass vulnerability
CVE-2020-13669	unknown	—	—	6y ago	Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
CVE-2020-13688	unknown	—	—	6y ago	Drupal Core Cross-site scripting vulnerability