Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Drupal — Vulnerabilities & Security Advisories 309

Browse all 309 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

Top products by Drupal: Drupal Core core Open Social Enterprise MFA - TFA for Drupal AI (Artificial Intelligence) COOKiES Consent Management Two-factor Authentication (TFA) One Time Password Authenticator Login Facets OpenID Connect / OAuth client Data-module Klaro Cookie & Consent Management Quick Node Block Simple Klaro Access code Obfuscate Google Tag Email TFA CivicTheme Design System Drupal Acquia DAM Tagify POST File Paragraphs table Drupal Canvas SAML SSO - Service Provider File Entity (fieldable files) Monster Menus File Access Fix (deprecated)
CVE IDTitleCVSSSeverityPublished
CVE-2026-6816 TFA Basic Plugins - Access Bypass — TFA Basic PluginsCWE-267--2026-05-28
CVE-2026-5343 SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031 — SAML SSO - Service ProviderCWE-754--2026-05-28
CVE-2026-4093 Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels) — Term Reference TreeCWE-79--2026-05-21
CVE-2026-4929 Simple Hierarchical Select (Drupal 7) XSS in term-derived output — Simple Hierarchical Select (shs)--2026-05-21
CVE-2026-9082 Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 — Drupal coreCWE-89 9.8 Critical2026-05-20
CVE-2026-8495 Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037 — Date iCalCWE-862--2026-05-19
CVE-2026-8493 Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036 — Colorbox InlineCWE-79--2026-05-19
CVE-2026-8492 Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035 — Translate Drupal with GTranslateCWE-471--2026-05-19
CVE-2026-8491 Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034 — Node View PermissionsCWE-754--2026-05-19
CVE-2026-6871 Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033 — ObfuscateCWE-79--2026-05-19
CVE-2026-6367 Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003 — Drupal coreCWE-79--2026-05-19
CVE-2026-6366 Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002 — Drupal coreCWE-915--2026-05-19
CVE-2026-6365 Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001 — Drupal coreCWE-79--2026-05-19
CVE-2026-6095 Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032 — OrejimeCWE-79--2026-05-19
CVE-2026-0748 Access bypass in Drupal 7 i18n_node translation UI — Internationalization (i18n) - i18n_node submoduleCWE-284 4.3 -2026-03-26
CVE-2026-1556 Information disclosure via file URI overwrite in File (Field) Paths — Drupal File (Field) PathsCWE-200 6.5 -2026-03-26
CVE-2026-4393 Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030 — Automated LogoutCWE-352 8.1AIHighAI2026-03-26
CVE-2026-4933 Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 — Unpublished Node PermissionsCWE-863 7.5 -2026-03-26
CVE-2026-3573 AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028 — AI (Artificial Intelligence)CWE-863 9.1 -2026-03-26
CVE-2026-3532 OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027 — OpenID Connect / OAuth clientCWE-178 8.8AIHighAI2026-03-26
CVE-2026-3531 OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026 — OpenID Connect / OAuth clientCWE-288 9.8AICriticalAI2026-03-26
CVE-2026-3530 OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025 — OpenID Connect / OAuth clientCWE-918 9.8AICriticalAI2026-03-26
CVE-2026-3529 Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024 — Google Analytics GA4CWE-79 6.1AIMediumAI2026-03-26
CVE-2026-3528 Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023 — Calculation FieldsCWE-79 6.1AIMediumAI2026-03-26
CVE-2026-3527 AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022 — AJAX DashboardCWE-306 9.1AICriticalAI2026-03-26
CVE-2026-3526 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021 — File Access Fix (deprecated)CWE-863 7.5AIHighAI2026-03-26
CVE-2026-3525 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020 — File Access Fix (deprecated)CWE-863 7.5AIHighAI2026-03-26
CVE-2026-3218 Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019 — Responsive FaviconsCWE-79 6.1 -2026-03-25
CVE-2026-3217 SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018 — SAML SSO - Service ProviderCWE-79 6.1 -2026-03-25
CVE-2026-3216 Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017 — Drupal CanvasCWE-918 9.8 -2026-03-25

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.