Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Drupal — Vulnerabilities & Security Advisories 295

Browse all 295 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

Top products by Drupal: Drupal Core core Open Social Enterprise MFA - TFA for Drupal AI (Artificial Intelligence) COOKiES Consent Management Two-factor Authentication (TFA) One Time Password Authenticator Login OpenID Connect / OAuth client Facets Data-module Klaro Cookie & Consent Management Access code Quick Node Block Simple Klaro Google Tag Email TFA CivicTheme Design System Acquia DAM Drupal POST File Paragraphs table Tagify Drupal Canvas Login Disable Node Access Rebuild Progressive Monster Menus File Entity (fieldable files) File Access Fix (deprecated)
CVE IDTitleCVSSSeverityPublished
CVE-2024-13298 Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064 — Tarte au CitronCWE-79 6.1 -2025-01-09
CVE-2024-13297 Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063 — EloquaCWE-502 9.8 -2025-01-09
CVE-2024-13296 Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062 — MailjetCWE-502 9.8 -2025-01-09
CVE-2024-13295 Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061 — Node exportCWE-502 9.8 -2025-01-09
CVE-2024-13294 POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060 — POST FileCWE-79 6.1 -2025-01-09
CVE-2024-13293 POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059 — POST FileCWE-352 8.8 -2025-01-09
CVE-2024-13292 Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058 — TooltipCWE-79 6.1 -2025-01-09
CVE-2024-13291 Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057 — Basic HTTP AuthenticationCWE-863--2025-01-09
CVE-2024-13290 OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056 — OhDear IntegrationCWE-863 7.5 -2025-01-09
CVE-2024-13289 Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055 — Cookiebot + GTMCWE-79 6.1 -2025-01-09
CVE-2024-13288 Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052 — Monster MenusCWE-502 9.8 -2025-01-09
CVE-2024-13287 Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051 — Views SVG AnimationCWE-79 6.1 -2025-01-09
CVE-2024-13286 SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050 — SVG EmbedCWE-79 6.1 -2025-01-09
CVE-2024-13285 wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 — wkhtmltopdf 9.8 -2025-01-09
CVE-2024-13284 Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 — GutenbergCWE-352 8.8 -2025-01-09
CVE-2024-13283 Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 — FacetsCWE-79 6.1 -2025-01-09
CVE-2024-13282 Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 — Block permissionsCWE-863 5.3 -2025-01-09
CVE-2024-13281 Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 — Monster MenusCWE-863 7.5 -2025-01-09
CVE-2024-13280 Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044 — Persistent LoginCWE-613 9.1 -2025-01-09
CVE-2024-13279 Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 — Two-factor Authentication (TFA)CWE-384 7.1 -2025-01-09
CVE-2024-13278 Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042 — DiffCWE-863 8.8 -2025-01-09
CVE-2024-13277 Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041 — Smart IP BanCWE-863 9.1 -2025-01-09
CVE-2024-13276 File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040 — File Entity (fieldable files)CWE-201 7.1 -2025-01-09
CVE-2024-13275 Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039 — Security KitCWE-843 7.5 -2025-01-09
CVE-2024-13274 Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038 — Open SocialCWE-799 9.8 -2025-01-09
CVE-2024-13273 Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037 — Open SocialCWE-79 6.1 -2025-01-09
CVE-2024-13272 Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036 — Paragraphs tableCWE-1220 4.3 -2025-01-09
CVE-2024-13271 Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035 — Content Entity CloneCWE-863 9.1 -2025-01-09
CVE-2024-13270 Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034 — FreelinkingCWE-863 7.5 -2025-01-09
CVE-2024-13269 Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033 — Advanced VarnishCWE-201 9.1 -2025-01-09

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.