Drupal — Vulnerabilities & Security Advisories 295

Browse all 295 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

CVEs 295

CVE ID	Title	CVSS	Severity	Published
CVE-2025-10927	Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107 — Plausible trackingCWE-79	6.1^AI	Medium^AI	2025-10-29
CVE-2025-10926	JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106 — JSON FieldCWE-79	6.1^AI	Medium^AI	2025-10-29
CVE-2025-9954	Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105 — Acquia DAMCWE-862	7.5^AI	High^AI	2025-10-29
CVE-2025-9554	Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104 — Owl Carousel 2	8.2^AI	High^AI	2025-10-10
CVE-2025-9553	API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103 — API Key manager	8.2^AI	High^AI	2025-10-10
CVE-2025-9552	Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102 — Synchronize composer.json With Contrib Modules	9.4^AI	Critical^AI	2025-10-10
CVE-2025-9551	Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101 — Protected PagesCWE-307	9.8^AI	Critical^AI	2025-10-10
CVE-2025-9550	Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100 — FacetsCWE-79	6.1^AI	Medium^AI	2025-10-10
CVE-2025-9549	Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099 — FacetsCWE-862	7.5^AI	High^AI	2025-10-10
CVE-2025-8093	Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098 — Authenticator LoginCWE-288	9.8^AI	Critical^AI	2025-10-10
CVE-2025-8996	Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 — Layout Builder Advanced PermissionsCWE-862	-	-^AI	2025-08-15
CVE-2025-8995	Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 — Authenticator LoginCWE-288	9.8^AI	Critical^AI	2025-08-15
CVE-2025-8675	AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095 — AI SEO Link AdvisorCWE-918	9.8^AI	Critical^AI	2025-08-15
CVE-2025-8362	GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094 — GoogleTag ManagerCWE-79	6.1^AI	Medium^AI	2025-08-15
CVE-2025-8361	Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093 — Config PagesCWE-962	-	-^AI	2025-08-15
CVE-2025-8092	COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092 — COOKiES Consent ManagementCWE-79	6.1^AI	Medium^AI	2025-08-15
CVE-2025-7717	File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089 — File DownloadCWE-862	9.1	-	2025-07-21
CVE-2025-7716	Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091 — Real-time SEO for DrupalCWE-79	6.1	-	2025-07-21
CVE-2025-7715	Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090 — Block AttributesCWE-79	6.1	-	2025-07-21
CVE-2025-7392	Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087 — Cookies AddonsCWE-79	6.1	-	2025-07-21
CVE-2025-7393	Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 — Mail LoginCWE-307	9.8	-	2025-07-21
CVE-2025-7031	Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 — Config Pages ViewerCWE-306	9.1^AI	Critical^AI	2025-07-08
CVE-2025-7030	Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 — Two-factor Authentication (TFA)CWE-267	8.1^AI	High^AI	2025-07-08
CVE-2025-6677	Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084 — Paragraphs tableCWE-79	6.1^AI	Medium^AI	2025-06-26
CVE-2025-6676	Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083 — Simple XML sitemapCWE-79	6.1^AI	Medium^AI	2025-06-26
CVE-2025-6675	Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082 — Enterprise MFA - TFA for DrupalCWE-288	9.8^AI	Critical^AI	2025-06-26
CVE-2025-6674	CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081 — CKEditor5 YoutubeCWE-79	6.1^AI	Medium^AI	2025-06-26
CVE-2025-5682	Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080 — Klaro Cookie & Consent ManagementCWE-79	6.1^AI	Medium^AI	2025-06-26
CVE-2025-48921	Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079 — Open SocialCWE-352	8.8^AI	High^AI	2025-06-26
CVE-2025-48922	GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078 — GLightboxCWE-79	6.1^AI	Medium^AI	2025-06-26

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Drupal — Vulnerabilities & Security Advisories 295