Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Drupal — Vulnerabilities & Security Advisories 355

Browse all 355 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

CVE IDTitleCVSSSeverityPublished
CVE-2026-11913 Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045 — Mother May I--2026-07-10
CVE-2026-11914 Composer - Critical - Unsupported - SA-CONTRIB-2026-046 — Composer--2026-07-10
CVE-2026-11915 Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047 — Brute force attack protection--2026-07-10
CVE-2026-15087 Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078 — Clean RESTful--2026-07-10
CVE-2026-15086 Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077 — Raw Formatter [Meta Tag Formatter]--2026-07-10
CVE-2026-15089 Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079 — Commerce guest registration--2026-07-10
CVE-2026-55808 Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009 — Drupal coreCWE-79--2026-07-10
CVE-2026-55807 Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008 — Drupal coreCWE-918--2026-07-10
CVE-2026-55806 Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007 — Drupal coreCWE-601--2026-07-10
CVE-2026-55804 Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006 — Drupal coreCWE-915--2026-07-10
CVE-2026-55803 Drupal core - Critical - PHP object injection - SA-CORE-2026-005 — Drupal coreCWE-915--2026-07-10
CVE-2026-15085 AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076 — AI SEO/GEO AnalyzerCWE-79--2026-07-10
CVE-2026-15084 UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075 — UI Patterns (SDC in Drupal UI)CWE-79--2026-07-10
CVE-2026-15083 ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074 — ECA: Event - Condition - ActionCWE-915--2026-07-10
CVE-2026-15082 Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073 — Siteimprove AnalyticsCWE-79--2026-07-10
CVE-2026-15081 Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072 — Location SelectorCWE-89--2026-07-10
CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071 — Ray Enterprise TranslationCWE-352--2026-07-10
CVE-2026-58591 Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069 — ColorboxCWE-79--2026-07-10
CVE-2026-15079 Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070 — Login DisableCWE-307--2026-07-10
CVE-2026-58590 FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068 — FlowDropCWE-862--2026-07-10
CVE-2026-58589 FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067 — FlowDropCWE-862--2026-07-10
CVE-2026-58588 Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066 — Drupal CanvasCWE-79--2026-07-10
CVE-2026-58587 Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065 — Drupal CanvasCWE-79--2026-07-10
CVE-2026-13244 Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064 — Tealium iQ Tag ManagementCWE-915--2026-07-10
CVE-2026-13243 Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063 — Salesforce SuiteCWE-352--2026-07-10
CVE-2026-13242 Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062 — Geolocation FieldCWE-89--2026-07-10
CVE-2026-13241 Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061 — ParagraphsCWE-862--2026-07-10
CVE-2026-13240 Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060 — ParagraphsCWE-862--2026-07-10
CVE-2026-13239 WissKI - Critical - Access bypass - SA-CONTRIB-2026-059 — WissKICWE-862--2026-07-10
CVE-2026-13238 Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058 — Commerce Realex / Global PaymentsCWE-863--2026-07-10

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.