Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
drupal core vulnerabilities and exploits
(subscribe to this query)
8.8
CVSSv3
CVE-2020-13664
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker c...
Drupal Drupal
8.8
CVSSv3
CVE-2020-13671
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 ver...
Drupal Drupal
Fedoraproject Fedora 32
Fedoraproject Fedora 33
8.1
CVSSv3
CVE-2019-6340
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x prior to 8.5.11 and Drupal 8.6.x prior to 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site ...
Drupal Drupal
3 EDB exploits
27 Github repositories
1 Article
8.1
CVSSv3
CVE-2016-3162
The File module in Drupal 7.x prior to 7.43 and 8.x prior to 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload fil...
Drupal Drupal 8.0.3
Drupal Drupal 8.0.2
Drupal Drupal 8.0.1
Drupal Drupal 7.37
Drupal Drupal 7.36
Drupal Drupal 7.35
Drupal Drupal 7.34
Drupal Drupal 7.2
Drupal Drupal 7.19
Drupal Drupal 7.18
Drupal Drupal 7.17
Drupal Drupal 7.0
Drupal Drupal 7.x-dev
Drupal Drupal 7.9
Drupal Drupal 7.8
Drupal Drupal 7.7
Drupal Drupal 7.28
Drupal Drupal 7.27
Drupal Drupal 7.26
Drupal Drupal 7.25
Drupal Drupal 7.12
Drupal Drupal 7.11
8.1
CVSSv3
CVE-2016-3169
The User module in Drupal 6.x prior to 6.38 and 7.x prior to 7.43 allows remote malicious users to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
Debian Debian Linux 8.0
Debian Debian Linux 7.0
Drupal Drupal 7.32
Drupal Drupal 7.x-dev
Drupal Drupal 7.9
Drupal Drupal 7.8
Drupal Drupal 7.7
Drupal Drupal 7.28
Drupal Drupal 7.27
Drupal Drupal 7.26
Drupal Drupal 7.25
Drupal Drupal 7.12
Drupal Drupal 7.11
Drupal Drupal 7.10
Drupal Drupal 7.1
Drupal Drupal 7.0
Drupal Drupal 6.37
Drupal Drupal 6.30
Drupal Drupal 6.3
Drupal Drupal 6.29
Drupal Drupal 6.28
Drupal Drupal 6.15
8
CVSSv3
CVE-2019-6338
In Drupal Core versions 7.x before 7.62, 8.6.x before 8.6.6 and 8.5.x before 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
Drupal Drupal
Debian Debian Linux 8.0
Debian Debian Linux 9.0
7.5
CVSSv3
CVE-2023-5256
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSO...
Drupal Drupal
7.5
CVSSv3
CVE-2022-25275
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private&...
Drupal Drupal
7.5
CVSSv3
CVE-2020-13670
Information Disclosure vulnerability in file module of Drupal Core allows an malicious user to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions before 8.8.10...
Drupal Drupal
7.5
CVSSv3
CVE-2020-13677
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.
Drupal Drupal
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463
CVE-2024-29895
inject
CVE-2023-52689
CVE-2024-5049
CVE-2024-5051
privilege escalation
physical
CVE-2023-52676
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »