Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Drupal — Vulnerabilities & Security Advisories 295

Browse all 295 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

Top products by Drupal: Drupal Core core Open Social Enterprise MFA - TFA for Drupal AI (Artificial Intelligence) COOKiES Consent Management Two-factor Authentication (TFA) One Time Password Authenticator Login OpenID Connect / OAuth client Facets Data-module Klaro Cookie & Consent Management Access code Quick Node Block Simple Klaro Google Tag Email TFA CivicTheme Design System Acquia DAM Drupal POST File Paragraphs table Tagify Drupal Canvas Login Disable Node Access Rebuild Progressive Monster Menus File Entity (fieldable files) File Access Fix (deprecated)
CVE IDTitleCVSSSeverityPublished
CVE-2026-0748 Access bypass in Drupal 7 i18n_node translation UI — Internationalization (i18n) - i18n_node submoduleCWE-284 4.3 -2026-03-26
CVE-2026-1556 Information disclosure via file URI overwrite in File (Field) Paths — Drupal File (Field) PathsCWE-200 6.5 -2026-03-26
CVE-2026-4393 Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030 — Automated LogoutCWE-352 8.1AIHighAI2026-03-26
CVE-2026-4933 Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 — Unpublished Node PermissionsCWE-863 7.5 -2026-03-26
CVE-2026-3573 AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028 — AI (Artificial Intelligence)CWE-863 9.1 -2026-03-26
CVE-2026-3532 OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027 — OpenID Connect / OAuth clientCWE-178 8.8AIHighAI2026-03-26
CVE-2026-3531 OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026 — OpenID Connect / OAuth clientCWE-288 9.8AICriticalAI2026-03-26
CVE-2026-3530 OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025 — OpenID Connect / OAuth clientCWE-918 9.8AICriticalAI2026-03-26
CVE-2026-3529 Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024 — Google Analytics GA4CWE-79 6.1AIMediumAI2026-03-26
CVE-2026-3528 Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023 — Calculation FieldsCWE-79 6.1AIMediumAI2026-03-26
CVE-2026-3527 AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022 — AJAX DashboardCWE-306 9.1AICriticalAI2026-03-26
CVE-2026-3526 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021 — File Access Fix (deprecated)CWE-863 7.5AIHighAI2026-03-26
CVE-2026-3525 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020 — File Access Fix (deprecated)CWE-863 7.5AIHighAI2026-03-26
CVE-2026-3218 Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019 — Responsive FaviconsCWE-79 6.1 -2026-03-25
CVE-2026-3217 SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018 — SAML SSO - Service ProviderCWE-79 6.1 -2026-03-25
CVE-2026-3216 Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017 — Drupal CanvasCWE-918 9.8 -2026-03-25
CVE-2026-3215 Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016 — IslandoraCWE-79 6.1 -2026-03-25
CVE-2026-3214 CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015 — CAPTCHACWE-288 9.1 -2026-03-25
CVE-2026-3213 Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014 — Anti-Spam by CleanTalkCWE-79 6.1 -2026-03-25
CVE-2026-3212 Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013 — TagifyCWE-79 6.1 -2026-03-25
CVE-2026-3211 Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012 — Theme Negotiation by RulesCWE-352 8.8 -2026-03-25
CVE-2026-3210 Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011 — Material IconsCWE-863 7.5 -2026-03-25
CVE-2026-2349 UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010 — UI IconsCWE-79 6.1 -2026-03-25
CVE-2026-2348 Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009 — Quick EditCWE-79 6.1 -2026-03-25
CVE-2026-1917 Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008 — Login DisableCWE-288 9.8 -2026-03-25
CVE-2026-1554 Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007 — Central Authentication System (CAS) ServerCWE-91 8.8AIHighAI2026-02-04
CVE-2026-1553 Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006 — Drupal CanvasCWE-863 7.5AIHighAI2026-02-04
CVE-2026-0948 Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005 — Microsoft Entra ID SSO LoginCWE-288 9.8AICriticalAI2026-02-04
CVE-2026-0947 AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004 — AT Internet Piano AnalyticsCWE-79 6.1AIMediumAI2026-02-04
CVE-2026-0946 AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003 — AT Internet SmartTagCWE-79 6.1AIMediumAI2026-02-04

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.