Backdropcms Backdropcms

  1. Vendors
  2. Backdropcms

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Backdropcms product.

RSS Feeds for Backdropcms security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Backdropcms products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Backdropcms Sorted by Most Security Vulnerabilities since 2018

Backdropcms Backdrop Cms14 vulnerabilities

Backdropcms Backdrop12 vulnerabilities

Backdropcms Backdrop Core1 vulnerability

Backdropcms Basic Cart1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Backdropcms. Last year, in 2025 Backdropcms had 3 security vulnerabilities published. Right now, Backdropcms is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 3 0.00
2024 2 4.80
2023 2 5.45
2022 8 5.74
2021 0 0.00
2020 0 0.00
2019 8 6.10
2018 1 4.80

It may take a day or so for new Backdropcms vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Backdropcms Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-44141 Jun 26, 2025
Backdrop CMS 1.30 XSS in Node Creation Form, fixed in 1.31 A Cross-Site Scripting (XSS) vulnerability exists in the node creation form of Backdrop CMS 1.30.
Backdrop
Backdrop Cms
CVE-2025-46595 Apr 25, 2025
Backdrop CMS Flag module XSS before 1.x-3.6.2 An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.
Backdrop
CVE-2025-25063 Feb 03, 2025
Backdrop CMS 1.28.x/1.29.x XSS via SVG Upload An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.
Backdrop
CVE-2024-54123 Nov 29, 2024
Backdrop CMS XSS via SVG in text format before 1.28.4/1.29.2 Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format.
Backdrop Cms
CVE-2024-41709 Jul 22, 2024
Backdrop CMS 1.27.3-1.28.2 Field Label XSS Vulnerability Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.
Backdrop
CVE-2023-31045 Apr 24, 2023
Stored XSS via 'name' param in Backdrop CMS 1.24.2 Text Editor A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere."
Backdrop
Backdrop Cms
CVE-2012-10004 Jan 11, 2023
Drupal Basic_Cart 1.1.1 XSS via basic_cart_checkout_form_submit A vulnerability was found in backdrop-contrib Basic Cart on Drupal. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.x-1.1.1 is able to address this issue. The patch is identified as a10424ccd4b3b4b433cf33b73c1ad608b11890b4. It is recommended to upgrade the affected component. VDB-217950 is the identifier assigned to this vulnerability.
Basic Cart
CVE-2022-42095 Nov 23, 2022
Backdrop CMS 1.23+ Stored XSS via Page content Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
Backdrop Cms
CVE-2022-42094 Nov 22, 2022
Backdrop CMS 1.23.0 XSS via Card Content Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
Backdrop
Backdrop Cms
CVE-2022-42097 Nov 22, 2022
Stored XSS in Backdrop CMS 1.23.0 via Comment Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .
Backdrop
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.