Drupal Drupal Drupal is an Open Source CMS written in PHP

  1. Vendors
  2. Drupal

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Drupal product.

RSS Feeds for Drupal security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Drupal products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Drupal Sorted by Most Security Vulnerabilities since 2018

Drupal108 vulnerabilities
CMS

Drupal Cookies Consent Management2 vulnerabilities

Drupal Artificial Intelligence2 vulnerabilities

Drupal Jquery Ui Checkboxradio1 vulnerability

Drupal Wiki1 vulnerability

Drupal Web T1 vulnerability

Drupal Views Dynamic Field1 vulnerability

Drupal Svg Sanitizer1 vulnerability

Drupal Saml Sp 2 0 Single Sign On1 vulnerability

Drupal Responsive Menus1 vulnerability

Drupal Panels1 vulnerability

Drupal Obfuscate1 vulnerability

Drupal Entity Embed1 vulnerability

Drupal Eca1 vulnerability

Drupal Docker Images1 vulnerability

Drupal Avatar Uploader1 vulnerability

Drupal Authenticator Login1 vulnerability

Known Exploited Drupal Vulnerabilities

The following Drupal vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Drupal Core Remote Code Execution Vulnerability A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
CVE-2018-7602 Exploit Probability: 94.3% 		April 13, 2022
Drupal Core Remote Code Execution Vulnerability In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
CVE-2019-6340 Exploit Probability: 94.4% 		March 25, 2022
Drupal core Un-restricted Upload of File Improper sanitization in the extension file names is present in Drupal core.
CVE-2020-13671 Exploit Probability: 3.4% 		January 18, 2022
Drupal module configuration vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
CVE-2018-7600 Exploit Probability: 94.5% 		November 3, 2021

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 35 vulnerabilities in Drupal with an average score of 6.3 out of ten. Last year, in 2024 Drupal had 12 security vulnerabilities published. That is, 23 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.04




Year Vulnerabilities Average Score
2025 35 6.26
2024 12 6.30
2023 10 6.65
2022 20 7.11
2021 14 6.72
2020 7 7.61
2019 14 7.54
2018 5 7.94

It may take a day or so for new Drupal vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Drupal Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-12466 Oct 29, 2025
Drupal Simple OAuth Auth Bypass v6.0.0-6.0.6 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
CVE-2025-12083 Oct 29, 2025
Drupal CivicTheme Design Sys 0.0.0-1.11.9 XSS via Imp. Input Ntrl. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
CVE-2025-12082 Oct 29, 2025
Drupal CivicTheme Design System <1.12.0 Improper Auth: Forceful Browsing Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
CVE-2025-10929 Oct 29, 2025
Drupal Reverse Proxy Header CVE Imp. Input Validation < v1.1.2 Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.
CVE-2025-10930 Oct 29, 2025
Drupal Currency CSRF (pre3.5.0) Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0.
CVE-2025-10931 Oct 29, 2025
Umami Analytics XSS via Improper Input Neutralization before 1.0.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.
CVE-2025-10928 Oct 29, 2025
Drupal Access Brute Force Improper Auth Attempts before 2.0.5 Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5.
CVE-2025-10927 Oct 29, 2025
Drupal Plausible Tracking XSS before 1.0.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2.
CVE-2025-10926 Oct 29, 2025
Drupal JSON Field XSS (before v1.5) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5.
CVE-2025-9954 Oct 29, 2025
Drupal Acquia DAM <1.1.5 Missing Authorization Forceful Browsing Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
CVE-2025-9554 Oct 10, 2025
Drupal Owl Carousel 2: Critical XSS via OWL Carousel Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*.
CVE-2025-9553 Oct 10, 2025
Drupal API Key Manager Vulnerability (CVE-2025-9553) Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*.
CVE-2025-9552 Oct 10, 2025
Drupal 'Synchronize composer.json' Module Vulnerability (CVE-2025-9552) Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*.
CVE-2025-9551 Oct 10, 2025
Drupal Protected Pages <1.8 Brute Force via Improper Auth Restriction Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0.
CVE-2025-9550 Oct 10, 2025
Drupal Facets XSS in 0.0.02.0.10 & 3.0.03.0.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
CVE-2025-9549 Oct 10, 2025
Drupal Facets <2.0.10 / <3.0.1 Missing Auth: Forceful Browsing Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
CVE-2025-8093 Oct 10, 2025
Auth Bypass in Drupal Authenticator Login <2.1.8 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8.
Authenticator Login
CVE-2025-48914 Jun 13, 2025
Drupal COOKiES Consent Mgmt XSS: CVE-2025-48914 (v<1.2.15) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
Cookies Consent Management
CVE-2025-48915 Jun 13, 2025
Drupal COOKiES Consent Mgmt XSS before 1.2.15 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
Cookies Consent Management
CVE-2025-3902 Apr 23, 2025
Drupal Block Class XSS (CVE-2025-3902) 4.0.0-<4.0.1 – Block Class Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).This issue affects Block Class: from 4.0.0 before 4.0.1.
Drupal
CVE-2025-3739 Apr 16, 2025
Drupal 8 Google Optimize Hide Page RCE Vulnerability Vulnerability in Drupal Drupal 8 Google Optimize Hide Page.This issue affects Drupal 8 Google Optimize Hide Page: *.*.
Drupal
CVE-2025-3474 Apr 09, 2025
Drupal Panels 0.0.0-4.9.0 Missing Auth for Critical Function (CVE-2025-3474) Missing Authentication for Critical Function vulnerability in Drupal Panels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panels: from 0.0.0 before 4.9.0.
Panels
CVE-2025-3475 Apr 09, 2025
Drupal WEB-T <1.1.0: Unlimited Request & Auth Flaw Enables Spoofing Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.This issue affects WEB-T: from 0.0.0 before 1.1.0.
Web T
CVE-2025-3131 Apr 09, 2025
Drupal ECA: Event-Condition-Action CSRF before 2.0.16 Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Drupal ECA: Event - Condition - Action allows Cross Site Request Forgery.This issue affects ECA: Event - Condition - Action: from 0.0.0 before 1.1.12, from 2.0.0 before 2.0.16, from 2.1.0 before 2.1.7, from 0.0.0 before 1.2.*.
Eca
CVE-2025-3130 Apr 02, 2025
Drupal Obfuscate <=2.0.0 – Stored XSS (CWE-79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS.This issue affects Obfuscate: from 0.0.0 before 2.0.1.
Obfuscate
CVE-2025-31673 Mar 31, 2025
Drupal Core IAuth: Forceful Browsing (v8.0.0–10.3.13, 10.4.0–10.4.3, 11.0.0–11.0.12, 11.1.0–11.1.3) Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Drupal
CVE-2025-31675 Mar 31, 2025
Drupal Core <10.3.14, <10.4.5, <11.0.13, <11.1.5 XSS vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
Drupal
CVE-2025-31674 Mar 31, 2025
Drupal Core OI via dynamic attr mod before 11.1.3 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Drupal
CVE-2025-31692 Mar 31, 2025
Drupal AI OS Command Injection (before 1.0.5) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5.
Artificial Intelligence
CVE-2025-31693 Mar 31, 2025
Drupal AI OS Command Injection CVE-2025-31693 (before 1.0.5) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5.
Artificial Intelligence
CVE-2025-3057 Mar 31, 2025
Drupal Core XSS via Improper Input Neutralization (<=10.4.3) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Drupal
CVE-2024-13294 Jan 09, 2025
Drupal XSS in POST File before 1.0.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal POST File allows Cross-Site Scripting (XSS).This issue affects POST File: from 0.0.0 before 1.0.2.
Drupal
CVE-2024-13295 Jan 09, 2025
Drupal Node Export <7.X-3.3: Untrusted Deserialization (Object Injection) Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.This issue affects Node export: from 7.X-* before 7.X-3.3.
Drupal
CVE-2024-13311 Jan 09, 2025
Drupal File Field All-Ext Upload (CVE-2024-13311) Vulnerability in Drupal Allow All File Extensions for file fields.This issue affects Allow All File Extensions for file fields: *.*.
Drupal
CVE-2024-40748 Jan 07, 2025
Drupal XSS: Unescaped id in menu lists Lack of output escaping in the id attribute of menu lists.
Drupal
CVE-2024-12393 Dec 10, 2024
Drupal Core: XSS Vulnerability in Web Page Generation Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal
CVE-2024-55634 Dec 10, 2024
Drupal Core Privilege Escalation Vulnerability A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal
CVE-2024-55635 Dec 10, 2024
Drupal Core: XSS Vulnerability in Web Page Generation Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
Drupal
CVE-2024-55636 Dec 10, 2024
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Drupal
CVE-2024-55637 Dec 10, 2024
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Drupal
CVE-2024-55638 Dec 10, 2024
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Drupal
CVE-2024-11941 Dec 05, 2024
Drupal Core: Excessive Allocation before 10.2.2/10.1.8 A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
Drupal
CVE-2024-11942 Dec 05, 2024
Drupal Core File Manipulation Vulnerability before v10.2.10 A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
Drupal
CVE-2024-45440 Aug 29, 2024
Drupal authorize.php FPD via missing hash_salt core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
Drupal
CVE-2024-34481 Jul 05, 2024
Drupal Wiki <8.31.1 XSS via Comments, Captions, Image Titles drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page.
Wiki
CVE-2023-52367 Feb 18, 2024
Drupal: Media Lib IAC Exploit Vulnerability of improper access control in the media library module.Successful exploitation of this vulnerability may affect service availability and integrity.
Drupal
CVE-2024-22362 Jan 16, 2024
Drupal Structural Element DoS via Improper Handling Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
Drupal
CVE-2023-40626 Nov 29, 2023
Drupal Language File Parsing Exposes Env Vars The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
Drupal
CVE-2023-5256 Sep 28, 2023
In certain scenarios, Drupal's JSON:API module will output error backtraces In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
Drupal
CVE-2018-25085 May 01, 2023
A vulnerability classified as problematic was found in Responsive Menus 7.x-1.x-dev on Drupal A vulnerability classified as problematic was found in Responsive Menus 7.x-1.x-dev on Drupal. Affected by this vulnerability is the function responsive_menus_admin_form_submit of the file responsive_menus.module of the component Configuration Setting Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 7.x-1.7 is able to address this issue. The patch is named 3c554b31d32a367188f44d44857b061eac949fb8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-227755.
Responsive Menus
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.