VIR Vulnerability Intelligence Relay

Package impact

php Packagist / drupal/core

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-9082 critical 9.8 10.0 8d ago Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. phpdrupal
CVE-2018-7602 critical 10.0 8y ago A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site. archphp
CVE-2018-7600 critical 10.0 8y ago Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. archphp
CVE-2020-13672 critical 9.5 5y ago Drupal core Cross-site Scripting (XSS) vulnerability archphp
CVE-2016-6211 high 8.8 8.8 10y ago Drupal Saving user accounts can sometimes grant the user all roles debianphpdrupal
CVE-2017-6381 high 8.1 8.1 9y ago Drupal Remote code execution phpdrupal
CVE-2016-5385 high 8.1 8.1 10y ago HTTP Proxy header vulnerability susefedoradebianredhat+4
CVE-2016-3171 high 8.1 8.1 10y ago Drupal arbitrary code execution debianphpdrupal
CVE-2016-3169 high 8.1 8.1 10y ago Drupal saving user accounts can sometimes grant the user all roles debianphpdrupal
CVE-2016-3162 high 8.1 8.1 10y ago Drupal File upload access bypass and denial of service debianphpdrupal
CVE-2020-13675 high 8.0 5y ago Unrestricted Upload of File with Dangerous Type in Drupal core archphp
CVE-2020-13673 high 8.0 5y ago The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it i… archphp
CVE-2020-13677 high 8.0 5y ago Drupal core access bypass vulnerability archphp
CVE-2020-13676 high 8.0 5y ago Incorrect Authorization in Drupal core archphp
CVE-2020-13674 high 8.0 5y ago Cross-Site Request Forgery in Drupal core archphp
CVE-2021-33829 high 8.0 5y ago ckeditor4 vulnerable to cross-site scripting archdebianrubyphp+1
CVE-2017-6919 high 7.5 7.5 9y ago Drupal access control bypass vulnerability phpdrupal
CVE-2017-6379 high 7.5 7.5 9y ago Drupal Cross-Site Request Forgery (CSRF) phpdrupal
CVE-2017-6377 high 7.5 7.5 9y ago Drupal editor module incorrectly checks access to inline private files phpdrupal
CVE-2016-9450 high 7.5 7.5 10y ago Drupal Incorrect cache context on password reset page archphpdrupal
CVE-2016-3165 high 7.5 7.5 10y ago Drupal Form API ignores access restrictions on submit buttons phpdrupal
CVE-2016-3163 high 7.5 7.5 10y ago Drupal Brute force amplification attacks via XML-RPC debianphpdrupal
CVE-2011-2687 high 7.5 15y ago Drupal Access Control Bypass phpdrupal
CVE-2016-3167 high 7.4 7.4 10y ago Drupal Open redirect vulnerability in the drupal_goto function debianphpdrupal
CVE-2016-3164 high 7.4 7.4 10y ago Drupal Open Redirect debianphpdrupal
CVE-2020-28949 medium 7.0 6y ago Moderate: php:7.4 security update rockylinuxdebianphp
CVE-2016-9451 medium 6.8 6.8 10y ago Drupal Open Redirect archphpdrupal
CVE-2026-6366 medium 6.6 6.6 9d ago Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a … phpdrupal
CVE-2016-9452 medium 6.5 6.5 10y ago Drupal Denial of service via transliterate mechanism archphpdrupal
CVE-2016-3168 medium 6.4 6.4 10y ago Drupal Reflected file download vulnerability debianphpdrupal
CVE-2026-6367 medium 6.1 6.1 9d ago Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross s… phpdrupal
CVE-2026-6365 medium 6.1 6.1 9d ago Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability. phpdrupal
CVE-2016-7571 medium 6.1 6.1 10y ago Drupal Cross-site scripting (XSS) vulnerability phpdrupal
CVE-2016-3166 medium 5.9 5.9 10y ago Drupal CRLF injection vulnerability in the drupal_set_header function debianphpdrupal
CVE-2021-32610 medium 5.5 5y ago Moderate: php:7.4 security, bug fix, and enhancement update archrockylinuxdebianphp
CVE-2020-28948 medium 5.5 6y ago Moderate: php:7.4 security update rockylinuxdebianphp
CVE-2019-11358 medium 5.5 7y ago XSS in jQuery as used in Drupal, Backdrop CMS, and other products archrockylinuxdebianruby+5
CVE-2016-6212 medium 5.3 5.3 10y ago Drupal Views can allow unauthorized users to see Statistics information phpdrupal
CVE-2016-3170 medium 5.3 5.3 10y ago Drupal sensitive information disclosure debianphpdrupal
CVE-2016-9449 medium 4.3 4.3 10y ago Drupal sensitive information disclosure archphpdrupal
CVE-2016-7572 medium 4.3 4.3 10y ago Drupal Unprivileged access to config export phpdrupal
CVE-2016-7570 medium 4.3 4.3 10y ago Drupal Users without "Administer comments" can set comment visibility on nodes they can edit phpdrupal