Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Drupal — Vulnerabilities & Security Advisories 295

Browse all 295 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

Top products by Drupal: Drupal Core core Open Social Enterprise MFA - TFA for Drupal AI (Artificial Intelligence) COOKiES Consent Management Two-factor Authentication (TFA) One Time Password Authenticator Login OpenID Connect / OAuth client Facets Data-module Klaro Cookie & Consent Management Access code Quick Node Block Simple Klaro Google Tag Email TFA CivicTheme Design System Acquia DAM Drupal POST File Paragraphs table Tagify Drupal Canvas Login Disable Node Access Rebuild Progressive Monster Menus File Entity (fieldable files) File Access Fix (deprecated)
CVE IDTitleCVSSSeverityPublished
CVE-2026-0945 Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002 — Role DelegationCWE-267 8.8AIHighAI2026-02-04
CVE-2026-0944 Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001 — Group inviteCWE-754--AI2026-02-04
CVE-2025-14840 HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126 — HTTP Client ManagerCWE-754--AI2026-01-28
CVE-2025-14472 Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125 — Acquia Content HubCWE-352 8.8AIHighAI2026-01-28
CVE-2025-13986 Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124 — Disable Login PageCWE-288 9.8AICriticalAI2026-01-28
CVE-2025-13985 Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123 — Entity ShareCWE-863 7.5AIHighAI2026-01-28
CVE-2025-13984 Next.js - Critical - Access bypass - SA-CONTRIB-2025-122 — Next.jsCWE-942 6.1AIMediumAI2026-01-28
CVE-2025-13983 Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121 — TagifyCWE-79 6.1AIMediumAI2026-01-28
CVE-2025-13982 Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120 — Login Time RestrictionCWE-352 8.8AIHighAI2026-01-28
CVE-2025-13981 AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119 — AI (Artificial Intelligence)CWE-79 6.1AIMediumAI2026-01-28
CVE-2025-13980 CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118 — CKEditor 5 Premium FeaturesCWE-288 9.8AICriticalAI2026-01-28
CVE-2025-13979 Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117 — Mini siteCWE-267 5.4AIMediumAI2026-01-28
CVE-2026-0749 Cross-Site Scripting Vulnerability in Drupal Form Builder Module — DrupalCWE-79 6.1AIMediumAI2026-01-28
CVE-2026-0750 Payment bypass in Commerce Paybox — Drupal Commerce PayboxCWE-347 9.8AICriticalAI2026-01-28
CVE-2025-14557 XSS in Drupal 7 Facebook Pixel Module — Facebook PixelCWE-79 6.1AIMediumAI2026-01-14
CVE-2025-14556 XSS in Drupal 7 Flag Module — FlagCWE-79 6.1AIMediumAI2026-01-14
CVE-2025-12848 XSS vulnerability when rendering filename in Webform Multiform — DrupalCWE-79 6.1AIMediumAI2025-11-26
CVE-2025-12761 Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116 — Simple multi step formCWE-79 6.1AIMediumAI2025-11-18
CVE-2025-12760 Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115 — Email TFACWE-288 9.8AICriticalAI2025-11-18
CVE-2025-13083 Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008 — Drupal coreCWE-525 7.5AIHighAI2025-11-18
CVE-2025-13082 Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 — Drupal coreCWE-451 4.3AIMediumAI2025-11-18
CVE-2025-13081 Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006 — Drupal coreCWE-915 9.8AICriticalAI2025-11-18
CVE-2025-13080 Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005 — Drupal coreCWE-754--AI2025-11-18
CVE-2025-12466 Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114 — Simple OAuth (OAuth2) & OpenID ConnectCWE-288 9.8AICriticalAI2025-10-29
CVE-2025-12083 CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113 — CivicTheme Design SystemCWE-79 6.1AIMediumAI2025-10-29
CVE-2025-12082 CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112 — CivicTheme Design SystemCWE-863 7.5AIHighAI2025-10-29
CVE-2025-10929 Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111 — Reverse Proxy HeaderCWE-1288 9.1AICriticalAI2025-10-29
CVE-2025-10930 Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110 — CurrencyCWE-352 8.8AIHighAI2025-10-29
CVE-2025-10931 Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109 — Umami AnalyticsCWE-79 6.1AIMediumAI2025-10-29
CVE-2025-10928 Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108 — Access codeCWE-307 9.8AICriticalAI2025-10-29

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.