Drupal Drupal Drupal is an Open Source CMS written in PHP

  1. Vendors
  2. Drupal

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Drupal product.

RSS Feeds for Drupal security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Drupal products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Drupal Sorted by Most Security Vulnerabilities since 2018

Drupal124 vulnerabilities
CMS

Drupal Artificial Intelligence3 vulnerabilities

Drupal Cookies Consent Management2 vulnerabilities

Drupal Jquery Ui Checkboxradio1 vulnerability

Drupal Wiki1 vulnerability

Drupal Web T1 vulnerability

Drupal Views Dynamic Field1 vulnerability

Drupal Svg Sanitizer1 vulnerability

Drupal Saml Sp 2 0 Single Sign On1 vulnerability

Drupal Responsive Menus1 vulnerability

Drupal Panels1 vulnerability

Drupal Obfuscate1 vulnerability

Drupal Entity Embed1 vulnerability

Drupal Eca1 vulnerability

Drupal Docker Images1 vulnerability

Drupal Avatar Uploader1 vulnerability

Drupal Authenticator Login1 vulnerability

Known Exploited Drupal Vulnerabilities

The following Drupal vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Drupal Core Remote Code Execution Vulnerability A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
CVE-2018-7602 Exploit Probability: 94.4% 		April 13, 2022
Drupal Core Remote Code Execution Vulnerability In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
CVE-2019-6340 Exploit Probability: 94.4% 		March 25, 2022
Drupal core Un-restricted Upload of File Improper sanitization in the extension file names is present in Drupal core.
CVE-2020-13671 Exploit Probability: 4.5% 		January 18, 2022
Drupal module configuration vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
CVE-2018-7600 Exploit Probability: 94.5% 		November 3, 2021

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 21 vulnerabilities in Drupal with an average score of 5.7 out of ten. Last year, in 2025 Drupal had 43 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Drupal in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.16




Year Vulnerabilities Average Score
2026 21 5.70
2025 43 5.86
2024 12 6.30
2023 11 6.65
2022 20 7.11
2021 14 6.72
2020 9 8.00
2019 19 7.60
2018 5 8.30

It may take a day or so for new Drupal vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Drupal Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-1554 Feb 04, 2026
Drupal CAS Server XML Injection PrivEsc (before 2.0.3, before 2.1.2) XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
CVE-2026-1553 Feb 04, 2026
Drupal Canvas 1.0.4 Incorrect Auth: Forceful Browsing (CVE-2026-1553) Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
Drupal
CVE-2026-0948 Feb 04, 2026
Auth Bypass alt path in Microsoft Entra ID SSO Login before 1.0.4 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
CVE-2026-0947 Feb 04, 2026
Drupal AT Internet Piano Analytics XSS 0.0.0-1.0.1 & 2.0.0-2.3.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
CVE-2026-0946 Feb 04, 2026
Drupal AT Internet SmartTag XSS <1.0.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.
CVE-2026-0945 Feb 04, 2026
Privilege Escalation via Unsafe Actions in Drupal Role Delegation 1.3.0-<1.5.0 Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.
CVE-2026-0944 Feb 04, 2026
Drupal Group Invite Forceful Browsing Vulnerability (2.3.9, 3.0.4, 4.0.4) Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
CVE-2025-14840 Jan 28, 2026
Drupal HTTP Client Manager <9.3.13 / <10.0.2 / <11.0.1 ImpChk Forceful Browsing Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
CVE-2025-14472 Jan 28, 2026
Acquia Content Hub CSRF <3.6.4/3.7.3 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.
CVE-2025-13986 Jan 28, 2026
Drupal Disable Login Page: Auth Bypass via Alternate Path (v<1.1.3) Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
CVE-2025-13985 Jan 28, 2026
Drupal Entity Share <3.13 Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
CVE-2025-13984 Jan 28, 2026
Next.js XSS via Permissive CrossDomain Policy (1.6.4, 2.0.1) Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
CVE-2025-13983 Jan 28, 2026
Drupal Tagify <1.2.44 XSS Vulnerability Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.
CVE-2025-13982 Jan 28, 2026
Drupal Login Time Restriction <=1.0.3 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.
CVE-2025-13981 Jan 28, 2026
Drupal AI XSS CVE-2025-13981 v<1.1.7 or <1.2.4 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.
Artificial Intelligence
CVE-2025-13980 Jan 28, 2026
CKEditor 5 Premium Features Auth Bypass via alt path before 1.6.4 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.
CVE-2025-13979 Jan 28, 2026
Drupal Mini Site <3.0.2 Stored XSS via Unsafe Actions Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.
CVE-2026-0749 Jan 28, 2026
Drupal Form Builder XSS before 7.X-1.22 (CVE-2026-0749) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.
Drupal
CVE-2026-0750 Jan 28, 2026
Drupal Commerce Paybox 7.x-1.0 to 1.5: Bad Sign Verification -> Auth Bypass Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.
Drupal
CVE-2025-14557 Jan 14, 2026
Drupal Facebook Pixel 7.x-1.0~1.1 Stored XSS Vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.
CVE-2025-14556 Jan 14, 2026
Drupal Flag 7.X-3.0-3.9 XSS Vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.
CVE-2025-12848 Nov 26, 2025
CVE-2025-12848: Drupal Webform MF Module XSS via Malicious Filename Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
Drupal
CVE-2025-12761 Nov 18, 2025
Drupal Simple multi step form XSS v0.0.0-<2.0.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.
CVE-2025-12760 Nov 18, 2025
Drupal Email TFA Authentication Bypass Before 2.0.6 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6.
CVE-2025-13083 Nov 18, 2025
Drupal core cache data leak via access control (v8-10.4.9,10.5-10.5.6,11.0-11.1.9) Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
Drupal
CVE-2025-13082 Nov 18, 2025
Drupal Core UI Misrepr Vulnerability 8.x10.4.9,10.5.x10.5.6,11.x11.2.8 User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Drupal
CVE-2025-13081 Nov 18, 2025
Drupal Core OI VULN 8.010.4.9,10.510.5.6,11.011.1.9,11.211.2.8 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Drupal
CVE-2025-13080 Nov 18, 2025
Drupal Core 810.4.9,10.510.5.6,11.011.1.9,11.211.2.8 Forceful Browsing via Improper Check Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Drupal
CVE-2025-12466 Oct 29, 2025
Drupal Simple OAuth Auth Bypass v6.0.0-6.0.6 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
CVE-2025-12083 Oct 29, 2025
Drupal CivicTheme Design Sys 0.0.0-1.11.9 XSS via Imp. Input Ntrl. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
CVE-2025-12082 Oct 29, 2025
Drupal CivicTheme Design System <1.12.0 Improper Auth: Forceful Browsing Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
CVE-2025-10929 Oct 29, 2025
Drupal Reverse Proxy Header CVE Imp. Input Validation < v1.1.2 Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.
CVE-2025-10930 Oct 29, 2025
Drupal Currency CSRF (pre3.5.0) Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0.
CVE-2025-10931 Oct 29, 2025
Umami Analytics XSS via Improper Input Neutralization before 1.0.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.
CVE-2025-10928 Oct 29, 2025
Drupal Access Brute Force Improper Auth Attempts before 2.0.5 Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5.
CVE-2025-10927 Oct 29, 2025
Drupal Plausible Tracking XSS before 1.0.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2.
CVE-2025-10926 Oct 29, 2025
Drupal JSON Field XSS (before v1.5) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5.
CVE-2025-9954 Oct 29, 2025
Drupal Acquia DAM <1.1.5 Missing Authorization Forceful Browsing Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
CVE-2025-9554 Oct 10, 2025
Drupal Owl Carousel 2: Critical XSS via OWL Carousel Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*.
CVE-2025-9553 Oct 10, 2025
Drupal API Key Manager Vulnerability (CVE-2025-9553) Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*.
CVE-2025-9552 Oct 10, 2025
Drupal 'Synchronize composer.json' Module Vulnerability (CVE-2025-9552) Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*.
CVE-2025-9551 Oct 10, 2025
Drupal Protected Pages <1.8 Brute Force via Improper Auth Restriction Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0.
CVE-2025-9550 Oct 10, 2025
Drupal Facets XSS in 0.0.02.0.10 & 3.0.03.0.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
CVE-2025-9549 Oct 10, 2025
Drupal Facets <2.0.10 / <3.0.1 Missing Auth: Forceful Browsing Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
CVE-2025-8093 Oct 10, 2025
Auth Bypass in Drupal Authenticator Login <2.1.8 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8.
Authenticator Login
CVE-2025-48915 Jun 13, 2025
Drupal COOKiES Consent Mgmt XSS before 1.2.15 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
Cookies Consent Management
CVE-2025-48914 Jun 13, 2025
Drupal COOKiES Consent Mgmt XSS: CVE-2025-48914 (v<1.2.15) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
Cookies Consent Management
CVE-2025-47705 May 14, 2025
Drupal iFrame Remove Filter XSS < 2.0.5 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).This issue affects IFrame Remove Filter: from 2.0.0 before 2.0.5, from 7.X-1.0 through 7.X-1.5, from 1.0 through 1.2.
CVE-2025-3902 Apr 23, 2025
Drupal Block Class XSS (CVE-2025-3902) 4.0.0-<4.0.1 – Block Class Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).This issue affects Block Class: from 4.0.0 before 4.0.1.
Drupal
CVE-2025-3739 Apr 16, 2025
Drupal 8 Google Optimize Hide Page RCE Vulnerability Vulnerability in Drupal Drupal 8 Google Optimize Hide Page.This issue affects Drupal 8 Google Optimize Hide Page: *.*.
Drupal
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.