Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
753 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10930 | 2 2bits, Drupal | 3 Currency, Currency, Drupal | 2025-12-12 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0. | ||||
| CVE-2025-10926 | 2 Drupal, Json Field Project | 3 Drupal, Json Field, Json Field | 2025-12-12 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5. | ||||
| CVE-2025-10927 | 2 Drupal, Plausible Tracking Project | 3 Drupal, Plausible Tracking, Plausible Tracking | 2025-12-12 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2. | ||||
| CVE-2025-10928 | 2 Access Code Project, Drupal | 3 Access Code, Access Code, Drupal | 2025-12-12 | 6.3 Medium |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5. | ||||
| CVE-2025-10929 | 2 Drupal, Reverse Proxy Header Project | 3 Drupal, Reverse Proxy Header, Reverse Proxy Header | 2025-12-12 | 5.3 Medium |
| Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2. | ||||
| CVE-2025-12761 | 2 Drupal, Simple Multi Step Form Project | 3 Drupal, Simple Multi Step Form, Simple Multi Step Form | 2025-12-08 | 3.5 Low |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0. | ||||
| CVE-2025-12760 | 2 Drupal, Email Tfa Project | 3 Drupal, Email Tfa, Email Tfa | 2025-12-08 | 5.4 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6. | ||||
| CVE-2025-12848 | 2 Drupal, Webform Multiple File Upload Project | 3 Drupal, Webform Module, Webform Multiple File Upload | 2025-12-05 | 6.1 Medium |
| Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | ||||
| CVE-2025-9553 | 2 Api Key Manager Project, Drupal | 3 Api Key Manager, Api Key Manager, Drupal | 2025-12-05 | 5.3 Medium |
| Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*. | ||||
| CVE-2025-9554 | 2 Drupal, Owl Carousel 2 Project | 2 Drupal, Owl Carousel 2 | 2025-12-05 | 5.3 Medium |
| Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*. | ||||
| CVE-2025-12466 | 2 Drupal, Simple Oauth Project | 3 Drupal, Openid, Simple Oauth | 2025-12-04 | 7.5 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7. | ||||
| CVE-2025-10931 | 2 Drupal, Umami | 3 Drupal, Umami Analytics, Umami Analytics | 2025-12-03 | 3.8 Low |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1. | ||||
| CVE-2025-12082 | 2 Drupal, Salsa.digital | 3 Civictheme Design System, Drupal, Civictheme Design System | 2025-12-03 | 7.5 High |
| Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | ||||
| CVE-2025-12083 | 2 Drupal, Salsa.digital | 3 Civictheme Design System, Drupal, Civictheme Design System | 2025-12-03 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0. | ||||
| CVE-2025-9954 | 2 Acquia, Drupal | 3 Dam, Acquia Dam, Drupal | 2025-12-03 | 7.5 High |
| Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5. | ||||
| CVE-2025-13080 | 1 Drupal | 2 Drupal, Drupal Core | 2025-11-24 | 5.3 Medium |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | ||||
| CVE-2025-13081 | 1 Drupal | 2 Drupal, Drupal Core | 2025-11-24 | 5.9 Medium |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | ||||
| CVE-2025-13082 | 1 Drupal | 2 Drupal, Drupal Core | 2025-11-24 | 4.3 Medium |
| User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | ||||
| CVE-2025-13083 | 1 Drupal | 2 Drupal, Drupal Core | 2025-11-24 | 3.7 Low |
| Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | ||||
| CVE-2020-28949 | 5 Debian, Drupal, Fedoraproject and 2 more | 6 Debian Linux, Drupal, Fedora and 3 more | 2025-11-07 | 7.8 High |
| Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | ||||