Drupal Drupal Drupal is an Open Source CMS written in PHP

  1. Vendors
  2. Drupal

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Drupal product.

RSS Feeds for Drupal security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Drupal products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Drupal Sorted by Most Security Vulnerabilities since 2018

Drupal131 vulnerabilities
CMS

Drupal Artificial Intelligence4 vulnerabilities

Drupal Cookies Consent Management2 vulnerabilities

Drupal Jquery Ui Checkboxradio1 vulnerability

Drupal Wiki1 vulnerability

Drupal Web T1 vulnerability

Drupal Views Dynamic Field1 vulnerability

Drupal Svg Sanitizer1 vulnerability

Drupal Saml Sp 2 0 Single Sign On1 vulnerability

Drupal Responsive Menus1 vulnerability

Drupal Panels1 vulnerability

Drupal Obfuscate1 vulnerability

Drupal Entity Embed1 vulnerability

Drupal Eca1 vulnerability

Drupal Docker Images1 vulnerability

Drupal Avatar Uploader1 vulnerability

Drupal Authenticator Login1 vulnerability

Known Exploited Drupal Vulnerabilities

The following Drupal vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Drupal Core SQL Injection Vulnerability Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
CVE-2026-9082 		May 22, 2026
Drupal Core Remote Code Execution Vulnerability A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
CVE-2018-7602 Exploit Probability: 94.4% 		April 13, 2022
Drupal Core Remote Code Execution Vulnerability In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
CVE-2019-6340 Exploit Probability: 94.4% 		March 25, 2022
Drupal core Un-restricted Upload of File Improper sanitization in the extension file names is present in Drupal core.
CVE-2020-13671 Exploit Probability: 4.5% 		January 18, 2022
Drupal module configuration vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
CVE-2018-7600 Exploit Probability: 94.5% 		November 3, 2021

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 58 vulnerabilities in Drupal with an average score of 5.7 out of ten. Last year, in 2025 Drupal had 43 security vulnerabilities published. That is, 15 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.12




Year Vulnerabilities Average Score
2026 58 5.72
2025 43 5.84
2024 12 6.30
2023 11 6.65
2022 20 7.11
2021 14 6.72
2020 9 8.00
2019 19 7.60
2018 5 8.30

It may take a day or so for new Drupal vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Drupal Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-4093 May 21, 2026
Drupal 7 Term Reference Tree module XSS; tokens unsanitized v7.x-1.11 In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.
CVE-2026-4929 May 21, 2026
XSS in Drupal 7 SHS module (7.x-1.0 7.x-1.10) via term names Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.
CVE-2026-9082 May 20, 2026
Drupal Core SQLi before 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Drupal
CVE-2026-8495 May 19, 2026
Drupal Date iCal 0.0.04.0.15 Missing Auth for Forceful Browsing Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.
CVE-2026-8493 May 19, 2026
Drupal Colorbox Inline XSS before 2.1.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.
CVE-2026-8492 May 19, 2026
Drupal Translate GTranslate <3.0.5 Resource Spoofing CVE-2026-8492 Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
Drupal
CVE-2026-8491 May 19, 2026
Drupal NVPerm Improper Check (CVE-2026-8491) Forceful Browsing <1.7.0, <2.0.1 Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
CVE-2026-6871 May 19, 2026
Drupal Obfuscate < 2.0.2 XSS Vulnerability Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2.
CVE-2026-6367 May 19, 2026
Drupal XSS Vulnerability 11.3.011.3.6 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.
Drupal
CVE-2026-6366 May 19, 2026
Object Injection in Drupal Core (v810.5.9, 10.610.6.6, 11.011.2.10, 11.311.3.6) Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Drupal
CVE-2026-6365 May 19, 2026
Drupal XSS CVE-2026-6365: v8-10.5.9,10.6-10.6.7,11.0-11.2.11,11.3-11.3.7 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
Drupal
CVE-2026-6095 May 19, 2026
Drupal Orejime <=2.0.16 XSS via improper input neutralization Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16.
CVE-2026-0748 Mar 26, 2026
Drupal 7 i18n_node Unpublished Node Disclosure (7.x-1.0-7.x-1.35) In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
CVE-2026-1556 Mar 26, 2026
Drupal 7.x File (FP): Authenticated Info Disclosure via URI collisions <7.1.3 Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users private files via filenamecollision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Drupal
CVE-2026-4393 Mar 26, 2026
CSRF Vulnerability in Drupal Autom. Logout <1.7.0 / <2.0.2 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.
CVE-2026-4933 Mar 26, 2026
Drupal Unpublished Node Permissions <1.7.0: Forceful Browsing via Auth Bypass Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
CVE-2026-3573 Mar 26, 2026
Drupal AI <1.1.11 & <1.2.12: Incorrect Auth Enables Resource Injection Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
Artificial Intelligence
CVE-2026-3532 Mar 26, 2026
Drupal OIDC/OAuth Client <=1.4 Privilege Escalation via Case Sensitivity Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-3531 Mar 26, 2026
Drupal OIDC/OAuth Client Auth Bypass < 1.5.0 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-3530 Mar 26, 2026
Drupal OpenID Connect OAuth Client SSRF before v1.5.0 Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-3529 Mar 26, 2026
Drupal GA4 XSS before 1.1.14 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
CVE-2026-3528 Mar 26, 2026
Drupal Calculation Fields XSS before 1.0.4 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
CVE-2026-3527 Mar 26, 2026
Drupal AJAX Dashboard v<3.1.0 Missing Auth Critical Function Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
CVE-2026-3526 Mar 26, 2026
Drupal File Access Fix <1.2.0: Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
CVE-2026-3525 Mar 26, 2026
Drupal File Access Fix <1.2.0: Incorrect Auth, Forceful Browsing Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
CVE-2026-3218 Mar 25, 2026
Drupal Responsive Favicons XSS before 2.0.2 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
CVE-2026-3217 Mar 25, 2026
Drupal SAML SSO XSS Vulnerability (before 3.1.3) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.
CVE-2026-3216 Mar 25, 2026
Drupal Canvas SSRF before 1.1.1 Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.
Drupal
CVE-2026-3215 Mar 25, 2026
XSS in Drupal Islandora (pre-2.17.5) via Improper Input Neutralization Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.
CVE-2026-3214 Mar 25, 2026
Drupal CAPTCHA v1.x <1.17.0 or v2.x <2.0.10 Auth Bypass via Alternate Channel Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
CVE-2026-3213 Mar 25, 2026
XSS in Drupal Anti-Spam by CleanTalk before 9.7.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.
CVE-2026-3212 Mar 25, 2026
Drupal Tagify XSS before v1.2.49 via Improper Neutralization Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.
CVE-2026-3211 Mar 25, 2026
Drupal Theme Negotiation by Rules <1.2.1 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.
CVE-2026-3210 Mar 25, 2026
Drupal Material Icons <=2.0.3 Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.
CVE-2026-2349 Mar 25, 2026
Drupal UI Icons XSS in UI Icons (<=1.1.0) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.
CVE-2026-2348 Mar 25, 2026
Drupal Quick Edit XSS (before 1.0.5, before 2.0.1) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.
CVE-2026-1917 Mar 25, 2026
Drupal Login Disable 2.1.3 Auth Bypass via Alternate Path (CVE-2026-1917) Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.
CVE-2026-1554 Feb 04, 2026
Drupal CAS Server XML Injection PrivEsc (before 2.0.3, before 2.1.2) XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
CVE-2026-1553 Feb 04, 2026
Drupal Canvas 1.0.4 Incorrect Auth: Forceful Browsing (CVE-2026-1553) Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
Drupal
CVE-2026-0948 Feb 04, 2026
Auth Bypass alt path in Microsoft Entra ID SSO Login before 1.0.4 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
CVE-2026-0947 Feb 04, 2026
Drupal AT Internet Piano Analytics XSS 0.0.0-1.0.1 & 2.0.0-2.3.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
CVE-2026-0946 Feb 04, 2026
Drupal AT Internet SmartTag XSS <1.0.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.
CVE-2026-0945 Feb 04, 2026
Privilege Escalation via Unsafe Actions in Drupal Role Delegation 1.3.0-<1.5.0 Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.
CVE-2026-0944 Feb 04, 2026
Drupal Group Invite Forceful Browsing Vulnerability (2.3.9, 3.0.4, 4.0.4) Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
CVE-2025-14840 Jan 28, 2026
Drupal HTTP Client Manager <9.3.13 / <10.0.2 / <11.0.1 ImpChk Forceful Browsing Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
CVE-2025-14472 Jan 28, 2026
Acquia Content Hub CSRF <3.6.4/3.7.3 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.
CVE-2025-13986 Jan 28, 2026
Drupal Disable Login Page: Auth Bypass via Alternate Path (v<1.1.3) Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
CVE-2025-13985 Jan 28, 2026
Drupal Entity Share <3.13 Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
CVE-2025-13984 Jan 28, 2026
Next.js XSS via Permissive CrossDomain Policy (1.6.4, 2.0.1) Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
CVE-2025-13983 Jan 28, 2026
Drupal Tagify <1.2.44 XSS Vulnerability Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.