Drupal — Vulnerabilities & Security Advisories 309

Browse all 309 CVE security advisories affecting Drupal. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Drupal is an open-source content management framework primarily utilized for building complex websites and digital experiences. With 295 recorded CVEs, its security history reflects typical challenges faced by widely adopted PHP-based platforms. Common vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation or insecure configuration defaults. Notable incidents have frequently involved exposed administrative endpoints or flawed permission handling, allowing attackers to gain unauthorized access or inject malicious scripts. The platform’s modular architecture, while flexible, can introduce risk if contributed modules are not rigorously vetted or updated. Security posture largely depends on timely patching and strict adherence to hardening guidelines. Despite these historical issues, Drupal remains a robust tool for enterprise-level applications, provided administrators maintain vigilant oversight of installed extensions and system configurations to mitigate known attack vectors effectively.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-3215	Islandora - Moderately critical - Arbitrary file upload, Cross-site scripting - SA-CONTRIB-2026-016 — IslandoraCWE-79	6.1	-	2026-03-25
CVE-2026-3214	CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015 — CAPTCHACWE-288	9.1	-	2026-03-25
CVE-2026-3213	Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014 — Anti-Spam by CleanTalkCWE-79	6.1	-	2026-03-25
CVE-2026-3212	Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013 — TagifyCWE-79	6.1	-	2026-03-25
CVE-2026-3211	Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012 — Theme Negotiation by RulesCWE-352	8.8	-	2026-03-25
CVE-2026-3210	Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011 — Material IconsCWE-863	7.5	-	2026-03-25
CVE-2026-2349	UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010 — UI IconsCWE-79	6.1	-	2026-03-25
CVE-2026-2348	Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009 — Quick EditCWE-79	6.1	-	2026-03-25
CVE-2026-1917	Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008 — Login DisableCWE-288	9.8	-	2026-03-25
CVE-2026-1554	Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007 — Central Authentication System (CAS) ServerCWE-91	8.8^AI	High^AI	2026-02-04
CVE-2026-1553	Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006 — Drupal CanvasCWE-863	7.5^AI	High^AI	2026-02-04
CVE-2026-0948	Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005 — Microsoft Entra ID SSO LoginCWE-288	9.8^AI	Critical^AI	2026-02-04
CVE-2026-0947	AT Internet Piano Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-004 — AT Internet Piano AnalyticsCWE-79	6.1^AI	Medium^AI	2026-02-04
CVE-2026-0946	AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003 — AT Internet SmartTagCWE-79	6.1^AI	Medium^AI	2026-02-04
CVE-2026-0945	Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002 — Role DelegationCWE-267	8.8^AI	High^AI	2026-02-04
CVE-2026-0944	Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001 — Group inviteCWE-754	-	-^AI	2026-02-04
CVE-2025-14840	HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126 — HTTP Client ManagerCWE-754	-	-^AI	2026-01-28
CVE-2025-14472	Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125 — Acquia Content HubCWE-352	8.8^AI	High^AI	2026-01-28
CVE-2025-13986	Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124 — Disable Login PageCWE-288	9.8^AI	Critical^AI	2026-01-28
CVE-2025-13985	Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123 — Entity ShareCWE-863	7.5^AI	High^AI	2026-01-28
CVE-2025-13984	Next.js - Critical - Access bypass - SA-CONTRIB-2025-122 — Next.jsCWE-942	6.1^AI	Medium^AI	2026-01-28
CVE-2025-13983	Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121 — TagifyCWE-79	6.1^AI	Medium^AI	2026-01-28
CVE-2025-13982	Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120 — Login Time RestrictionCWE-352	8.8^AI	High^AI	2026-01-28
CVE-2025-13981	AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119 — AI (Artificial Intelligence)CWE-79	6.1^AI	Medium^AI	2026-01-28
CVE-2025-13980	CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118 — CKEditor 5 Premium FeaturesCWE-288	9.8^AI	Critical^AI	2026-01-28
CVE-2025-13979	Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117 — Mini siteCWE-267	5.4^AI	Medium^AI	2026-01-28
CVE-2026-0749	Cross-Site Scripting Vulnerability in Drupal Form Builder Module — DrupalCWE-79	6.1^AI	Medium^AI	2026-01-28
CVE-2026-0750	Payment bypass in Commerce Paybox — Drupal Commerce PayboxCWE-347	9.8^AI	Critical^AI	2026-01-28
CVE-2025-14557	XSS in Drupal 7 Facebook Pixel Module — Facebook PixelCWE-79	6.1^AI	Medium^AI	2026-01-14
CVE-2025-14556	XSS in Drupal 7 Flag Module — FlagCWE-79	6.1^AI	Medium^AI	2026-01-14

This page lists every published CVE security advisory associated with Drupal. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

Drupal — Vulnerabilities & Security Advisories 309