Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Drupal — Vulnerabilities & Security Advisories 295

Browse all 295 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

Top products by Drupal: Drupal Core core Open Social Enterprise MFA - TFA for Drupal AI (Artificial Intelligence) COOKiES Consent Management Two-factor Authentication (TFA) One Time Password Authenticator Login OpenID Connect / OAuth client Facets Data-module Klaro Cookie & Consent Management Access code Quick Node Block Simple Klaro Google Tag Email TFA CivicTheme Design System Acquia DAM Drupal POST File Paragraphs table Tagify Drupal Canvas Login Disable Node Access Rebuild Progressive Monster Menus File Entity (fieldable files) File Access Fix (deprecated)
CVE IDTitleCVSSSeverityPublished
CVE-2025-31689 General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018 — General Data Protection RegulationCWE-352 8.8 -2025-03-31
CVE-2025-31688 Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017 — Configuration SplitCWE-352 8.8 -2025-03-31
CVE-2025-31687 SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016 — SpamSpan filterCWE-79 6.1 -2025-03-31
CVE-2025-31686 Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015 — Open SocialCWE-862 7.5 -2025-03-31
CVE-2025-31685 Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014 — Open SocialCWE-862 7.5 -2025-03-31
CVE-2025-31684 OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013 — OAuth2 ClientCWE-352 8.8 -2025-03-31
CVE-2025-31683 Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012 — Google TagCWE-352 8.8 -2025-03-31
CVE-2025-31682 Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011 — Google TagCWE-79 6.1 -2025-03-31
CVE-2025-31681 Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009 — Authenticator LoginCWE-862 7.5 -2025-03-31
CVE-2025-31680 Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008 — Matomo AnalyticsCWE-352 8.8 -2025-03-31
CVE-2025-31679 Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007 — Ignition Error PagesCWE-79 6.1 -2025-03-31
CVE-2025-31678 AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004 — AI (Artificial Intelligence)CWE-862 9.4 -2025-03-31
CVE-2025-31677 AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003 — AI (Artificial Intelligence)CWE-352 8.8 -2025-03-31
CVE-2025-31676 Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001 — Email TFACWE-1390 9.8 -2025-03-31
CVE-2025-31675 Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004 — Drupal coreCWE-79 6.1 -2025-03-31
CVE-2025-31674 Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003 — Drupal coreCWE-915 9.8 -2025-03-31
CVE-2025-31673 Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002 — Drupal coreCWE-863 6.5 -2025-03-31
CVE-2025-3057 Drupal core - Critical - Cross site scripting - SA-CORE-2025-001 — Drupal coreCWE-79 6.1 -2025-03-31
CVE-2024-13312 Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 — Open SocialCWE-862 7.5 -2025-01-09
CVE-2024-13311 Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 — Allow All File Extensions for file fields 8.2 -2025-01-09
CVE-2024-13310 Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 — Git Utilities for Drupal 9.1 -2025-01-09
CVE-2024-13309 Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 — Login DisableCWE-287 8.2 -2025-01-09
CVE-2024-13308 Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 — Browser Back ButtonCWE-79 6.1 -2025-01-09
CVE-2024-13305 Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071 — Entity Form StepsCWE-79 6.1 -2025-01-09
CVE-2024-13304 Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070 — Minify JSCWE-352 8.8 -2025-01-09
CVE-2024-13303 Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069 — Download All FilesCWE-862 7.5 -2025-01-09
CVE-2024-13302 Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068 — Pages Restriction AccessCWE-863 7.5 -2025-01-09
CVE-2024-13301 OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067 — OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client)CWE-79 6.1 -2025-01-09
CVE-2024-13300 Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066 — Print Anything 8.2 -2025-01-09
CVE-2024-13299 Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065 — Megamenu Framework 9.4 -2025-01-09

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.