Package impact

Packagist / drupal/core

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2016-6211	high	8.8	8.8	10y ago	Drupal Saving user accounts can sometimes grant the user all roles
CVE-2017-6381	high	8.1	8.1	9y ago	Drupal Remote code execution
CVE-2016-5385	high	8.1	8.1	10y ago	HTTP Proxy header vulnerability	+1
CVE-2016-3171	high	8.1	8.1	10y ago	Drupal arbitrary code execution
CVE-2016-3169	high	8.1	8.1	10y ago	Drupal saving user accounts can sometimes grant the user all roles
CVE-2016-3162	high	8.1	8.1	10y ago	Drupal File upload access bypass and denial of service
CVE-2020-13675	high	—	8.0	5y ago	Unrestricted Upload of File with Dangerous Type in Drupal core
CVE-2020-13673	high	—	8.0	5y ago	The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it i…
CVE-2020-13677	high	—	8.0	5y ago	Drupal core access bypass vulnerability
CVE-2020-13676	high	—	8.0	5y ago	Incorrect Authorization in Drupal core
CVE-2020-13674	high	—	8.0	5y ago	Cross-Site Request Forgery in Drupal core
CVE-2021-33829	high	—	8.0	5y ago	ckeditor4 vulnerable to cross-site scripting	+1
CVE-2017-6919	high	7.5	7.5	9y ago	Drupal access control bypass vulnerability
CVE-2017-6379	high	7.5	7.5	9y ago	Drupal Cross-Site Request Forgery (CSRF)
CVE-2017-6377	high	7.5	7.5	9y ago	Drupal editor module incorrectly checks access to inline private files
CVE-2016-9450	high	7.5	7.5	10y ago	Drupal Incorrect cache context on password reset page
CVE-2016-3165	high	7.5	7.5	10y ago	Drupal Form API ignores access restrictions on submit buttons
CVE-2016-3163	high	7.5	7.5	10y ago	Drupal Brute force amplification attacks via XML-RPC
CVE-2011-2687	high	—	7.5	15y ago	Drupal Access Control Bypass
CVE-2016-3167	high	7.4	7.4	10y ago	Drupal Open redirect vulnerability in the drupal_goto function
CVE-2016-3164	high	7.4	7.4	10y ago	Drupal Open Redirect
CVE-2020-28949	medium	—	7.0	6y ago	Moderate: php:7.4 security update
CVE-2016-9451	medium	6.8	6.8	10y ago	Drupal Open Redirect
CVE-2026-6366	medium	6.6	6.6	8d ago	Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a …
CVE-2016-9452	medium	6.5	6.5	10y ago	Drupal Denial of service via transliterate mechanism
CVE-2016-3168	medium	6.4	6.4	10y ago	Drupal Reflected file download vulnerability
CVE-2026-6367	medium	6.1	6.1	8d ago	Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross s…
CVE-2026-6365	medium	6.1	6.1	8d ago	Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.
CVE-2016-7571	medium	6.1	6.1	10y ago	Drupal Cross-site scripting (XSS) vulnerability
CVE-2016-3166	medium	5.9	5.9	10y ago	Drupal CRLF injection vulnerability in the drupal_set_header function
CVE-2021-32610	medium	—	5.5	5y ago	Moderate: php:7.4 security, bug fix, and enhancement update
CVE-2020-28948	medium	—	5.5	6y ago	Moderate: php:7.4 security update
CVE-2019-11358	medium	—	5.5	7y ago	Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update	+5
CVE-2016-6212	medium	5.3	5.3	10y ago	Drupal Views can allow unauthorized users to see Statistics information
CVE-2016-3170	medium	5.3	5.3	10y ago	Drupal sensitive information disclosure
CVE-2016-9449	medium	4.3	4.3	10y ago	Drupal sensitive information disclosure
CVE-2016-7572	medium	4.3	4.3	10y ago	Drupal Unprivileged access to config export
CVE-2016-7570	medium	4.3	4.3	10y ago	Drupal Users without "Administer comments" can set comment visibility on nodes they can edit