Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Drupal — Vulnerabilities & Security Advisories 309

Browse all 309 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

Top products by Drupal: Drupal Core core Open Social Enterprise MFA - TFA for Drupal AI (Artificial Intelligence) COOKiES Consent Management Two-factor Authentication (TFA) One Time Password Authenticator Login Facets OpenID Connect / OAuth client Data-module Klaro Cookie & Consent Management Quick Node Block Simple Klaro Access code Obfuscate Google Tag Email TFA CivicTheme Design System Drupal Acquia DAM Tagify POST File Paragraphs table Drupal Canvas SAML SSO - Service Provider File Entity (fieldable files) Monster Menus File Access Fix (deprecated)
CVE IDTitleCVSSSeverityPublished
CVE-2025-7717 File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089 — File DownloadCWE-862 9.1 -2025-07-21
CVE-2025-7716 Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091 — Real-time SEO for DrupalCWE-79 6.1 -2025-07-21
CVE-2025-7715 Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090 — Block AttributesCWE-79 6.1 -2025-07-21
CVE-2025-7392 Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087 — Cookies AddonsCWE-79 6.1 -2025-07-21
CVE-2025-7393 Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 — Mail LoginCWE-307 9.8 -2025-07-21
CVE-2025-7031 Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 — Config Pages ViewerCWE-306 9.1AICriticalAI2025-07-08
CVE-2025-7030 Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 — Two-factor Authentication (TFA)CWE-267 8.1AIHighAI2025-07-08
CVE-2025-6677 Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084 — Paragraphs tableCWE-79 6.1AIMediumAI2025-06-26
CVE-2025-6676 Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083 — Simple XML sitemapCWE-79 6.1AIMediumAI2025-06-26
CVE-2025-6675 Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082 — Enterprise MFA - TFA for DrupalCWE-288 9.8AICriticalAI2025-06-26
CVE-2025-6674 CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081 — CKEditor5 YoutubeCWE-79 6.1AIMediumAI2025-06-26
CVE-2025-5682 Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080 — Klaro Cookie & Consent ManagementCWE-79 6.1AIMediumAI2025-06-26
CVE-2025-48921 Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079 — Open SocialCWE-352 8.8AIHighAI2025-06-26
CVE-2025-48922 GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078 — GLightboxCWE-79 6.1AIMediumAI2025-06-26
CVE-2025-48923 Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077 — Toc.jsCWE-79 6.1AIMediumAI2025-06-26
CVE-2025-48915 COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076 — COOKiES Consent ManagementCWE-79 6.1AIMediumAI2025-06-13
CVE-2025-48914 COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075 — COOKiES Consent ManagementCWE-79 6.1AIMediumAI2025-06-13
CVE-2025-48920 etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074 — etrackerCWE-79 6.1AIMediumAI2025-06-13
CVE-2025-48919 Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073 — Simple KlaroCWE-79 6.1AIMediumAI2025-06-13
CVE-2025-48917 EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072 — EU Cookie Compliance (GDPR Compliance)CWE-79 6.1AIMediumAI2025-06-13
CVE-2025-48918 Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071 — Simple KlaroCWE-79 6.1AIMediumAI2025-06-13
CVE-2025-48916 Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070 — Bookable CalendarCWE-862 7.5AIHighAI2025-06-13
CVE-2025-48447 Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069 — LightgalleryCWE-79 6.1AIMediumAI2025-06-11
CVE-2025-48448 Admin Audit Trail - Less critical - Denial of Service - SA-CONTRIB-2025-068 — Admin Audit TrailCWE-770 8.1AIHighAI2025-06-11
CVE-2025-48446 Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067 — Commerce Alphabank RedirectCWE-863 9.4AICriticalAI2025-06-11
CVE-2025-48445 Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066 — Commerce Eurobank (Redirect)CWE-863 9.8AICriticalAI2025-06-11
CVE-2025-48013 Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065 — Quick Node BlockCWE-862 7.5AIHighAI2025-06-11
CVE-2025-48444 Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064 — Quick Node BlockCWE-862 7.5AIHighAI2025-06-11
CVE-2025-48012 One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063 — One Time PasswordCWE-294 9.1AICriticalAI2025-05-21
CVE-2025-48011 One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062 — One Time PasswordCWE-288 9.8AICriticalAI2025-05-21

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.