Drupal — Vulnerabilities & Security Advisories 295

Browse all 295 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

CVEs 295

CVE ID	Title	CVSS	Severity	Published
CVE-2025-3907	Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046 — Search API SolrCWE-352	8.8	-	2025-04-23
CVE-2025-3904	Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045 — Sportsleague	9.4	-	2025-04-23
CVE-2025-3903	UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044 — UEditor - 百度编辑器	8.2	-	2025-04-23
CVE-2025-3902	Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043 — Block ClassCWE-79	6.1	-	2025-04-23
CVE-2025-3901	Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042 — Bootstrap Site AlertCWE-79	6.1	-	2025-04-23
CVE-2025-3900	Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041 — ColorboxCWE-79	6.1	-	2025-04-23
CVE-2025-3739	Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040 — Drupal 8 Google Optimize Hide Page	6.5^AI	Medium^AI	2025-04-16
CVE-2025-3738	Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039 — Google Optimize	8.2^AI	High^AI	2025-04-16
CVE-2025-3737	Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038 — Google Maps: Store Locator	8.2^AI	High^AI	2025-04-16
CVE-2025-3736	Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037 — Simple GTM	9.4^AI	Critical^AI	2025-04-16
CVE-2025-3735	Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036 — Panelizer (obsolete)	9.1^AI	Critical^AI	2025-04-16
CVE-2025-3734	Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035 — Stage File ProxyCWE-770	7.5^AI	High^AI	2025-04-16
CVE-2025-3733	baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034 — baguetteBox.jsCWE-79	6.1^AI	Medium^AI	2025-04-16
CVE-2025-3474	Panels - Critical - Access bypass - SA-CONTRIB-2025-033 — PanelsCWE-306	9.1^AI	Critical^AI	2025-04-09
CVE-2025-3131	ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031 — ECA: Event - Condition - ActionCWE-352	8.8^AI	High^AI	2025-04-09
CVE-2025-3475	WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030 — WEB-TCWE-770	7.5^AI	High^AI	2025-04-09
CVE-2025-3130	Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029 — ObfuscateCWE-79	5.4	-	2025-04-02
CVE-2025-3129	Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028 — Access codeCWE-307	9.8^AI	Critical^AI	2025-04-02
CVE-2025-3062	Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010 — Drupal Admin LTE theme	9.1	-	2025-03-31
CVE-2025-3061	Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006 — Material Admin	9.8	-	2025-03-31
CVE-2025-3060	Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005 — Flattern – Multipurpose Bootstrap Business Profile	8.2	-	2025-03-31
CVE-2025-3059	Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002 — Profile Private	8.2	-	2025-03-31
CVE-2025-31697	Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026 — Formatter SuiteCWE-79	6.1	-	2025-03-31
CVE-2025-31696	RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025 — RapiDoc OAS Field FormatterCWE-79	6.1	-	2025-03-31
CVE-2025-31695	Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024 — Link field display mode formatterCWE-79	6.1	-	2025-03-31
CVE-2025-31694	Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023 — Two-factor Authentication (TFA)CWE-288	9.4	-	2025-03-31
CVE-2025-31693	AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022 — AI (Artificial Intelligence)CWE-78	8.8	-	2025-03-31
CVE-2025-31692	AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021 — AI (Artificial Intelligence)CWE-78	8.8	-	2025-03-31
CVE-2025-31691	OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020 — OAuth2 ServerCWE-862	7.5	-	2025-03-31
CVE-2025-31690	Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019 — Cache UtilityCWE-352	8.8	-	2025-03-31

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Drupal — Vulnerabilities & Security Advisories 295