Drupal CMS
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Drupal.
Known Exploited Drupal Vulnerabilities
The following Drupal vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Drupal module configuration vulnerability |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. CVE-2018-7600 Exploit Probability: 94.5% |
November 3, 2021 |
The vulnerability CVE-2018-7600: Drupal module configuration vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
Drupal EOL Dates
Ensure that you are using a supported version of Drupal. Here are some end of life, and end of support dates for Drupal.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 11.3 | December 16, 2026 | June 16, 2026 |
EOL This Year
Drupal 11.3 will become EOL this year, in December 2026. |
| 10.6 | December 16, 2026 | June 16, 2026 |
EOL This Year
Drupal 10.6 will become EOL this year, in December 2026. |
| 10.5 | June 17, 2026 | December 17, 2025 |
EOL This Year
Drupal 10.5 will become EOL this year, in June 2026. |
| 11.2 | June 17, 2026 | December 10, 2025 |
EOL This Year
Drupal 11.2 will become EOL this year, in June 2026. |
| 10.4 | December 10, 2025 | June 18, 2025 |
EOL
Drupal 10.4 became EOL in 2025 and supported ended in 2025 |
| 11.1 | December 10, 2025 | June 18, 2025 |
EOL
Drupal 11.1 became EOL in 2025 and supported ended in 2025 |
| 11.0 | June 16, 2025 | December 16, 2024 |
EOL
Drupal 11.0 became EOL in 2025 and supported ended in 2024 |
| 10.3 | June 16, 2025 | August 2, 2024 |
EOL
Drupal 10.3 became EOL in 2025 and supported ended in 2024 |
| 10.2 | December 17, 2024 | June 20, 2024 |
EOL
Drupal 10.2 became EOL in 2024 and supported ended in 2024 |
| 10.1 | June 20, 2024 | December 15, 2023 |
EOL
Drupal 10.1 became EOL in 2024 and supported ended in 2023 |
| 10.0 | December 15, 2023 | June 21, 2023 |
EOL
Drupal 10.0 became EOL in 2023 and supported ended in 2023 |
| 9.5 | November 1, 2023 | June 21, 2023 |
EOL
Drupal 9.5 became EOL in 2023 and supported ended in 2023 |
| 9.4 | June 21, 2023 | December 14, 2022 |
EOL
Drupal 9.4 became EOL in 2023 and supported ended in 2022 |
| 9.3 | December 14, 2022 | June 15, 2022 |
EOL
Drupal 9.3 became EOL in 2022 and supported ended in 2022 |
| 9.2 | June 15, 2022 | December 8, 2021 |
EOL
Drupal 9.2 became EOL in 2022 and supported ended in 2021 |
| 9.1 | December 8, 2021 | June 16, 2021 |
EOL
Drupal 9.1 became EOL in 2021 and supported ended in 2021 |
| 8.9 | November 2, 2021 | December 1, 2020 |
EOL
Drupal 8.9 became EOL in 2021 and supported ended in 2020 |
| 9.0 | June 16, 2021 | December 2, 2020 |
EOL
Drupal 9.0 became EOL in 2021 and supported ended in 2020 |
| 8.8 | December 1, 2020 | June 3, 2020 |
EOL
Drupal 8.8 became EOL in 2020 and supported ended in 2020 |
| 7 | January 5, 2025 | November 19, 2015 |
EOL
Drupal 7 became EOL in 2025 and supported ended in 2015 |
By the Year
In 2026 there have been 5 vulnerabilities in Drupal with an average score of 4.9 out of ten. Last year, in 2025 Drupal had 15 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Drupal in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.02
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 4.90 |
| 2025 | 15 | 4.92 |
| 2024 | 11 | 6.40 |
| 2023 | 10 | 6.86 |
| 2022 | 17 | 7.12 |
| 2021 | 14 | 6.72 |
| 2020 | 6 | 7.64 |
| 2019 | 16 | 7.60 |
| 2018 | 4 | 8.57 |
It may take a day or so for new Drupal vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Drupal Security Vulnerabilities
Drupal 7.x File (FP): Authenticated Info Disclosure via URI collisions <7.1.3
CVE-2026-1556
- March 26, 2026
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users private files via filenamecollision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Information Disclosure
Drupal Canvas SSRF before 1.1.1
CVE-2026-3216
5 - Medium
- March 25, 2026
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.
SSRF
Drupal Canvas 1.0.4 Incorrect Auth: Forceful Browsing (CVE-2026-1553)
CVE-2026-1553
4.8 - Medium
- February 04, 2026
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
AuthZ
Drupal Form Builder XSS before 7.X-1.22 (CVE-2026-0749)
CVE-2026-0749
- January 28, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.
XSS
Drupal Commerce Paybox 7.x-1.0 to 1.5: Bad Sign Verification -> Auth Bypass
CVE-2026-0750
- January 28, 2026
Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass.This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5.
Improper Verification of Cryptographic Signature
CVE-2025-12848: Drupal Webform MF Module XSS via Malicious Filename
CVE-2025-12848
- November 26, 2025
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
XSS
Drupal core cache data leak via access control (v8-10.4.9,10.5-10.5.6,11.0-11.1.9)
CVE-2025-13083
3.7 - Low
- November 18, 2025
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
Use of Web Browser Cache Containing Sensitive Information
Drupal Core UI Misrepr Vulnerability 8.x10.4.9,10.5.x10.5.6,11.x11.2.8
CVE-2025-13082
4.3 - Medium
- November 18, 2025
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
User Interface (UI) Misrepresentation of Critical Information
Drupal Core OI VULN 8.010.4.9,10.510.5.6,11.011.1.9,11.211.2.8
CVE-2025-13081
5.9 - Medium
- November 18, 2025
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Mass Assignment
Drupal Core 810.4.9,10.510.5.6,11.011.1.9,11.211.2.8 Forceful Browsing via Improper Check
CVE-2025-13080
5.3 - Medium
- November 18, 2025
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Improper Check for Unusual or Exceptional Conditions
Drupal Block Class XSS (CVE-2025-3902) 4.0.0-<4.0.1 – Block Class
CVE-2025-3902
- April 23, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).This issue affects Block Class: from 4.0.0 before 4.0.1.
Drupal 8 Google Optimize Hide Page RCE Vulnerability
CVE-2025-3739
- April 16, 2025
Vulnerability in Drupal Drupal 8 Google Optimize Hide Page.This issue affects Drupal 8 Google Optimize Hide Page: *.*.
Drupal Core IAuth: Forceful Browsing (v8.0.0–10.3.13, 10.4.0–10.4.3, 11.0.0–11.0.12, 11.1.0–11.1.3)
CVE-2025-31673
- March 31, 2025
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
AuthZ
Drupal Core <10.3.14, <10.4.5, <11.0.13, <11.1.5 XSS vulnerability
CVE-2025-31675
5.4 - Medium
- March 31, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
XSS
Drupal Core OI via dynamic attr mod before 11.1.3
CVE-2025-31674
- March 31, 2025
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Improper Control of Dynamically-Managed Code Resources
Drupal Core XSS via Improper Input Neutralization (<=10.4.3)
CVE-2025-3057
- March 31, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
XSS
Drupal XSS in POST File before 1.0.2
CVE-2024-13294
- January 09, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal POST File allows Cross-Site Scripting (XSS).This issue affects POST File: from 0.0.0 before 1.0.2.
Drupal Node Export <7.X-3.3: Untrusted Deserialization (Object Injection)
CVE-2024-13295
- January 09, 2025
Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.This issue affects Node export: from 7.X-* before 7.X-3.3.
Drupal File Field All-Ext Upload (CVE-2024-13311)
CVE-2024-13311
- January 09, 2025
Vulnerability in Drupal Allow All File Extensions for file fields.This issue affects Allow All File Extensions for file fields: *.*.
Drupal XSS: Unescaped id in menu lists
CVE-2024-40748
- January 07, 2025
Lack of output escaping in the id attribute of menu lists.
XSS
Drupal Core: XSS Vulnerability in Web Page Generation
CVE-2024-12393
- December 10, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
XSS
Drupal Core Privilege Escalation Vulnerability
CVE-2024-55634
- December 10, 2024
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Improper Handling of Case Sensitivity
Drupal Core: XSS Vulnerability in Web Page Generation
CVE-2024-55635
- December 10, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
XSS
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection
CVE-2024-55636
- December 10, 2024
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Marshaling, Unmarshaling
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection
CVE-2024-55637
- December 10, 2024
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Marshaling, Unmarshaling
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection
CVE-2024-55638
- December 10, 2024
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Marshaling, Unmarshaling
Drupal Core: Excessive Allocation before 10.2.2/10.1.8
CVE-2024-11941
- December 05, 2024
A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
Infinite Loop
Drupal Core File Manipulation Vulnerability before v10.2.10
CVE-2024-11942
- December 05, 2024
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
Drupal authorize.php FPD via missing hash_salt
CVE-2024-45440
5.3 - Medium
- August 29, 2024
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
Generation of Error Message Containing Sensitive Information
Drupal: Media Lib IAC Exploit
CVE-2023-52367
- February 18, 2024
Vulnerability of improper access control in the media library module.Successful exploitation of this vulnerability may affect service availability and integrity.
Drupal Structural Element DoS via Improper Handling
CVE-2024-22362
7.5 - High
- January 16, 2024
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
Drupal Language File Parsing Exposes Env Vars
CVE-2023-40626
7.5 - High
- November 29, 2023
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
Drupal JSON:API backtrace info leak
CVE-2023-5256
7.5 - High
- September 28, 2023
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
Drupal 7 Unauth RCE via Admin: Ajax - CVE-2018-4791
CVE-2018-4791
- September 14, 2023
** REJECT ** This candidate is unused by its CNA.
Drupal File Download Path Traversal Exposes Private Files
CVE-2023-31250
6.5 - Medium
- April 26, 2023
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
AuthZ
Drupal Core Bypass File Sanitization for .htaccess Uploads
CVE-2022-25277
7.2 - High
- April 26, 2023
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
Unrestricted File Upload
Drupal Form API Auth Bypass via Incorrect Access Check (CVE-2022-25278)
CVE-2022-25278
6.5 - Medium
- April 26, 2023
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
Drupal Media Module: oEmbed Route XSS via Unvalidated iframe Domain
CVE-2022-25276
6.1 - Medium
- April 26, 2023
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
XSS
Drupal Core Form API Input Validation Flaw Enables Data Injection
CVE-2022-25273
7.5 - High
- April 26, 2023
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Improper Input Validation
Drupal 9.3 Entity Revision Access Bypass via Incomplete Permissions API
CVE-2022-25274
5.4 - Medium
- April 26, 2023
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
AuthZ
Drupal Image Module Improper File Access in Derivative Generation
CVE-2022-25275
7.5 - High
- April 26, 2023
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.
Twig 1.x/2.x/3.x Template Injection via Namespace Traversal (Fixed 1.44.7/2.15.3/3.4.3)
CVE-2022-39261
7.5 - High
- September 28, 2022
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Directory traversal
Guzzle is an open source PHP HTTP client
CVE-2022-31042
7.5 - High
- June 10, 2022
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
Improper Removal of Sensitive Information Before Storage or Transfer
Guzzle is an open source PHP HTTP client
CVE-2022-31043
7.5 - High
- June 10, 2022
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
Improper Removal of Sensitive Information Before Storage or Transfer
Guzzle is a PHP HTTP client
CVE-2022-29248
8.1 - High
- May 25, 2022
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Reliance on Cookies without Validation and Integrity Checking
guzzlehttp/psr7 is a PSR-7 HTTP message library
CVE-2022-24775
7.5 - High
- March 21, 2022
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Improper Input Validation
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor
CVE-2022-24729
7.5 - High
- March 16, 2022
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
ReDoS
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor
CVE-2022-24728
5.4 - Medium
- March 16, 2022
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
XSS
The Quick Edit module does not properly check entity access in some circumstances
CVE-2022-25270
6.5 - Medium
- February 17, 2022
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
AuthZ
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
CVE-2022-25271
7.5 - High
- February 16, 2022
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Improper Input Validation
