Drupal Drupal Drupal is an Open Source CMS written in PHP

  1. Vendors
  2. Drupal

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Drupal product.

RSS Feeds for Drupal security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Drupal products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Drupal Sorted by Most Security Vulnerabilities since 2018

Drupal126 vulnerabilities
CMS

Drupal Artificial Intelligence4 vulnerabilities

Drupal Cookies Consent Management2 vulnerabilities

Drupal Jquery Ui Checkboxradio1 vulnerability

Drupal Wiki1 vulnerability

Drupal Web T1 vulnerability

Drupal Views Dynamic Field1 vulnerability

Drupal Svg Sanitizer1 vulnerability

Drupal Saml Sp 2 0 Single Sign On1 vulnerability

Drupal Responsive Menus1 vulnerability

Drupal Panels1 vulnerability

Drupal Obfuscate1 vulnerability

Drupal Entity Embed1 vulnerability

Drupal Eca1 vulnerability

Drupal Docker Images1 vulnerability

Drupal Avatar Uploader1 vulnerability

Drupal Authenticator Login1 vulnerability

Known Exploited Drupal Vulnerabilities

The following Drupal vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Drupal Core Remote Code Execution Vulnerability A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.
CVE-2018-7602 Exploit Probability: 94.4% 		April 13, 2022
Drupal Core Remote Code Execution Vulnerability In Drupal Core, some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
CVE-2019-6340 Exploit Probability: 94.4% 		March 25, 2022
Drupal core Un-restricted Upload of File Improper sanitization in the extension file names is present in Drupal core.
CVE-2020-13671 Exploit Probability: 4.5% 		January 18, 2022
Drupal module configuration vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
CVE-2018-7600 Exploit Probability: 94.5% 		November 3, 2021

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 46 vulnerabilities in Drupal with an average score of 5.6 out of ten. Last year, in 2025 Drupal had 43 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.25




Year Vulnerabilities Average Score
2026 46 5.60
2025 43 5.84
2024 12 6.30
2023 11 6.65
2022 20 7.11
2021 14 6.72
2020 9 8.00
2019 19 7.60
2018 5 8.30

It may take a day or so for new Drupal vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Drupal Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-0748 Mar 26, 2026
Drupal 7 i18n_node Unpublished Node Disclosure (7.x-1.0-7.x-1.35) In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
CVE-2026-1556 Mar 26, 2026
Drupal 7.x File (FP): Authenticated Info Disclosure via URI collisions <7.1.3 Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users private files via filenamecollision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Drupal
CVE-2026-4393 Mar 26, 2026
CSRF Vulnerability in Drupal Autom. Logout <1.7.0 / <2.0.2 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.
CVE-2026-4933 Mar 26, 2026
Drupal Unpublished Node Permissions <1.7.0: Forceful Browsing via Auth Bypass Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
CVE-2026-3573 Mar 26, 2026
Drupal AI <1.1.11 & <1.2.12: Incorrect Auth Enables Resource Injection Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
Artificial Intelligence
CVE-2026-3532 Mar 26, 2026
Drupal OIDC/OAuth Client <=1.4 Privilege Escalation via Case Sensitivity Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-3531 Mar 26, 2026
Drupal OIDC/OAuth Client Auth Bypass < 1.5.0 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-3530 Mar 26, 2026
Drupal OpenID Connect OAuth Client SSRF before v1.5.0 Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
CVE-2026-3529 Mar 26, 2026
Drupal GA4 XSS before 1.1.14 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
CVE-2026-3528 Mar 26, 2026
Drupal Calculation Fields XSS before 1.0.4 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
CVE-2026-3527 Mar 26, 2026
Drupal AJAX Dashboard v<3.1.0 Missing Auth Critical Function Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
CVE-2026-3526 Mar 26, 2026
Drupal File Access Fix <1.2.0: Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
CVE-2026-3525 Mar 26, 2026
Drupal File Access Fix <1.2.0: Incorrect Auth, Forceful Browsing Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
CVE-2026-3218 Mar 25, 2026
Drupal Responsive Favicons XSS before 2.0.2 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Responsive Favicons allows Cross-Site Scripting (XSS).This issue affects Responsive Favicons: from 0.0.0 before 2.0.2.
CVE-2026-3217 Mar 25, 2026
Drupal SAML SSO XSS Vulnerability (before 3.1.3) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.
CVE-2026-3216 Mar 25, 2026
Drupal Canvas SSRF before 1.1.1 Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.
Drupal
CVE-2026-3215 Mar 25, 2026
XSS in Drupal Islandora (pre-2.17.5) via Improper Input Neutralization Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Islandora allows Cross-Site Scripting (XSS).This issue affects Islandora: from 0.0.0 before 2.17.5.
CVE-2026-3214 Mar 25, 2026
Drupal CAPTCHA v1.x <1.17.0 or v2.x <2.0.10 Auth Bypass via Alternate Channel Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
CVE-2026-3213 Mar 25, 2026
XSS in Drupal Anti-Spam by CleanTalk before 9.7.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Anti-Spam by CleanTalk allows Cross-Site Scripting (XSS).This issue affects Anti-Spam by CleanTalk: from 0.0.0 before 9.7.0.
CVE-2026-3212 Mar 25, 2026
Drupal Tagify XSS before v1.2.49 via Improper Neutralization Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.
CVE-2026-3211 Mar 25, 2026
Drupal Theme Negotiation by Rules <1.2.1 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.
CVE-2026-3210 Mar 25, 2026
Drupal Material Icons <=2.0.3 Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.
CVE-2026-2349 Mar 25, 2026
Drupal UI Icons XSS in UI Icons (<=1.1.0) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.
CVE-2026-2348 Mar 25, 2026
Drupal Quick Edit XSS (before 1.0.5, before 2.0.1) Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1.
CVE-2026-1917 Mar 25, 2026
Drupal Login Disable 2.1.3 Auth Bypass via Alternate Path (CVE-2026-1917) Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.
CVE-2026-1554 Feb 04, 2026
Drupal CAS Server XML Injection PrivEsc (before 2.0.3, before 2.1.2) XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
CVE-2026-1553 Feb 04, 2026
Drupal Canvas 1.0.4 Incorrect Auth: Forceful Browsing (CVE-2026-1553) Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
Drupal
CVE-2026-0948 Feb 04, 2026
Auth Bypass alt path in Microsoft Entra ID SSO Login before 1.0.4 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
CVE-2026-0947 Feb 04, 2026
Drupal AT Internet Piano Analytics XSS 0.0.0-1.0.1 & 2.0.0-2.3.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
CVE-2026-0946 Feb 04, 2026
Drupal AT Internet SmartTag XSS <1.0.1 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS).This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1.
CVE-2026-0945 Feb 04, 2026
Privilege Escalation via Unsafe Actions in Drupal Role Delegation 1.3.0-<1.5.0 Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.
CVE-2026-0944 Feb 04, 2026
Drupal Group Invite Forceful Browsing Vulnerability (2.3.9, 3.0.4, 4.0.4) Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
CVE-2025-14840 Jan 28, 2026
Drupal HTTP Client Manager <9.3.13 / <10.0.2 / <11.0.1 ImpChk Forceful Browsing Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.
CVE-2025-14472 Jan 28, 2026
Acquia Content Hub CSRF <3.6.4/3.7.3 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.
CVE-2025-13986 Jan 28, 2026
Drupal Disable Login Page: Auth Bypass via Alternate Path (v<1.1.3) Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
CVE-2025-13985 Jan 28, 2026
Drupal Entity Share <3.13 Forceful Browsing via Incorrect Auth Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
CVE-2025-13984 Jan 28, 2026
Next.js XSS via Permissive CrossDomain Policy (1.6.4, 2.0.1) Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
CVE-2025-13983 Jan 28, 2026
Drupal Tagify <1.2.44 XSS Vulnerability Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.
CVE-2025-13982 Jan 28, 2026
Drupal Login Time Restriction <=1.0.3 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.
CVE-2025-13981 Jan 28, 2026
Drupal AI XSS CVE-2025-13981 v<1.1.7 or <1.2.4 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4.
Artificial Intelligence
CVE-2025-13980 Jan 28, 2026
CKEditor 5 Premium Features Auth Bypass via alt path before 1.6.4 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.
CVE-2025-13979 Jan 28, 2026
Drupal Mini Site <3.0.2 Stored XSS via Unsafe Actions Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2.
CVE-2026-0749 Jan 28, 2026
Drupal Form Builder XSS before 7.X-1.22 (CVE-2026-0749) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.
Drupal
CVE-2026-0750 Jan 28, 2026
Drupal Commerce Paybox 7.x-1.0 to 1.5: Bad Sign Verification -> Auth Bypass Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.
Drupal
CVE-2025-14557 Jan 14, 2026
Drupal Facebook Pixel 7.x-1.0~1.1 Stored XSS Vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1.
CVE-2025-14556 Jan 14, 2026
Drupal Flag 7.X-3.0-3.9 XSS Vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9.
CVE-2025-12848 Nov 26, 2025
CVE-2025-12848: Drupal Webform MF Module XSS via Malicious Filename Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
Drupal
CVE-2025-12761 Nov 18, 2025
Drupal Simple multi step form XSS v0.0.0-<2.0.0 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.
CVE-2025-12760 Nov 18, 2025
Drupal Email TFA Authentication Bypass Before 2.0.6 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6.
CVE-2025-13083 Nov 18, 2025
Drupal core cache data leak via access control (v8-10.4.9,10.5-10.5.6,11.0-11.1.9) Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
Drupal
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.