Drupal CMS
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Drupal.
Known Exploited Drupal Vulnerabilities
The following Drupal vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Drupal module configuration vulnerability |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. CVE-2018-7600 Exploit Probability: 94.5% |
November 3, 2021 |
The vulnerability CVE-2018-7600: Drupal module configuration vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
Drupal EOL Dates
Ensure that you are using a supported version of Drupal. Here are some end of life, and end of support dates for Drupal.
Release | EOL | End of Support | Status |
---|---|---|---|
10.4 | December 16, 2025 | June 16, 2025 |
EOL This Year
Drupal 10.4 will become EOL this year, in December 2025. |
11.1 | - | - |
Active
|
11.0 | June 16, 2025 | December 16, 2024 |
EOL
Drupal 11.0 became EOL in 2025 and supported ended in 2024 |
10.3 | June 16, 2025 | August 2, 2024 |
EOL
Drupal 10.3 became EOL in 2025 and supported ended in 2024 |
10.2 | December 17, 2024 | June 20, 2024 |
EOL
Drupal 10.2 became EOL in 2024 and supported ended in 2024 |
10.1 | June 20, 2024 | December 15, 2023 |
EOL
Drupal 10.1 became EOL in 2024 and supported ended in 2023 |
10.0 | December 15, 2023 | June 21, 2023 |
EOL
Drupal 10.0 became EOL in 2023 and supported ended in 2023 |
9.5 | November 1, 2023 | June 21, 2023 |
EOL
Drupal 9.5 became EOL in 2023 and supported ended in 2023 |
9.4 | June 21, 2023 | December 14, 2022 |
EOL
Drupal 9.4 became EOL in 2023 and supported ended in 2022 |
9.3 | December 14, 2022 | June 15, 2022 |
EOL
Drupal 9.3 became EOL in 2022 and supported ended in 2022 |
9.2 | June 15, 2022 | December 8, 2021 |
EOL
Drupal 9.2 became EOL in 2022 and supported ended in 2021 |
9.1 | December 8, 2021 | June 16, 2021 |
EOL
Drupal 9.1 became EOL in 2021 and supported ended in 2021 |
8.9 | November 2, 2021 | December 1, 2020 |
EOL
Drupal 8.9 became EOL in 2021 and supported ended in 2020 |
9.0 | June 16, 2021 | December 2, 2020 |
EOL
Drupal 9.0 became EOL in 2021 and supported ended in 2020 |
8.8 | December 1, 2020 | June 3, 2020 |
EOL
Drupal 8.8 became EOL in 2020 and supported ended in 2020 |
7 | January 5, 2025 | November 19, 2015 |
EOL
Drupal 7 became EOL in 2025 and supported ended in 2015 |
By the Year
In 2025 there have been 4 vulnerabilities in Drupal. Last year, in 2024 Drupal had 10 security vulnerabilities published. Right now, Drupal is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 4 | 0.00 |
2024 | 10 | 6.40 |
2023 | 8 | 6.78 |
2022 | 17 | 7.12 |
2021 | 14 | 6.69 |
2020 | 6 | 7.12 |
2019 | 12 | 7.35 |
2018 | 4 | 8.05 |
It may take a day or so for new Drupal vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Drupal Security Vulnerabilities
Incorrect Authorization vulnerability in Drupal Drupal core
CVE-2025-31673
- March 31, 2025
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
AuthZ
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core
CVE-2025-31675
- March 31, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
XSS
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core
CVE-2025-31674
- March 31, 2025
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Improper Control of Dynamically-Managed Code Resources
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core
CVE-2025-3057
- March 31, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
XSS
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection
CVE-2024-55638
- December 10, 2024
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Marshaling, Unmarshaling
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection
CVE-2024-55637
- December 10, 2024
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Marshaling, Unmarshaling
Drupal Core: XSS Vulnerability in Web Page Generation
CVE-2024-12393
- December 10, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
XSS
Drupal Core Privilege Escalation Vulnerability
CVE-2024-55634
- December 10, 2024
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Improper Handling of Case Sensitivity
Drupal Core: XSS Vulnerability in Web Page Generation
CVE-2024-55635
- December 10, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
XSS
Drupal Core: Deserialization of Untrusted Data Leading to Object Injection
CVE-2024-55636
- December 10, 2024
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Marshaling, Unmarshaling
A vulnerability in Drupal Core
CVE-2024-11941
- December 05, 2024
A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
Infinite Loop
A vulnerability in Drupal Core
CVE-2024-11942
- December 05, 2024
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file
CVE-2024-45440
5.3 - Medium
- August 29, 2024
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
Generation of Error Message Containing Sensitive Information
Drupal contains a vulnerability with improper handling of structural elements
CVE-2024-22362
7.5 - High
- January 16, 2024
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
In certain scenarios, Drupal's JSON:API module will output error backtraces
CVE-2023-5256
7.5 - High
- September 28, 2023
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
The file download facility doesn't sufficiently sanitize file paths in certain situations
CVE-2023-31250
6.5 - Medium
- April 26, 2023
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
AuthZ
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly
CVE-2022-25278
6.5 - Medium
- April 26, 2023
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
The Media oEmbed iframe route does not properly validate the iframe domain setting, which
CVE-2022-25276
6.1 - Medium
- April 26, 2023
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
XSS
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots
CVE-2022-25277
7.2 - High
- April 26, 2023
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
Unrestricted File Upload
In some situations
CVE-2022-25275
7.5 - High
- April 26, 2023
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.
Drupal 9.3 implemented a generic entity access API for entity revisions
CVE-2022-25274
5.4 - Medium
- April 26, 2023
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
AuthZ
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
CVE-2022-25273
7.5 - High
- April 26, 2023
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Improper Input Validation
Twig is a template language for PHP
CVE-2022-39261
7.5 - High
- September 28, 2022
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
Directory traversal
Guzzle is an open source PHP HTTP client
CVE-2022-31042
7.5 - High
- June 10, 2022
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
Improper Removal of Sensitive Information Before Storage or Transfer
Guzzle is an open source PHP HTTP client
CVE-2022-31043
7.5 - High
- June 10, 2022
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
Improper Removal of Sensitive Information Before Storage or Transfer
Guzzle is a PHP HTTP client
CVE-2022-29248
8.1 - High
- May 25, 2022
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Reliance on Cookies without Validation and Integrity Checking
guzzlehttp/psr7 is a PSR-7 HTTP message library
CVE-2022-24775
7.5 - High
- March 21, 2022
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Improper Input Validation
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor
CVE-2022-24729
7.5 - High
- March 16, 2022
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
ReDoS
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor
CVE-2022-24728
5.4 - Medium
- March 16, 2022
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
XSS
The Quick Edit module does not properly check entity access in some circumstances
CVE-2022-25270
6.5 - Medium
- February 17, 2022
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
AuthZ
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation
CVE-2022-25271
7.5 - High
- February 16, 2022
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Improper Input Validation
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way
CVE-2020-13668
6.1 - Medium
- February 11, 2022
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
XSS
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file
CVE-2020-13670
7.5 - High
- February 11, 2022
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
Exposure of Resource to Wrong Sphere
The QuickEdit module does not properly validate access to routes, which could
CVE-2020-13674
6.5 - Medium
- February 11, 2022
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.
Session Riding
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs
CVE-2020-13675
9.8 - Critical
- February 11, 2022
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
Unrestricted File Upload
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data
CVE-2020-13676
6.5 - Medium
- February 11, 2022
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
AuthZ
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content
CVE-2020-13677
7.5 - High
- February 11, 2022
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS
CVE-2020-13669
6.1 - Medium
- February 11, 2022
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
XSS
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances
CVE-2020-13672
6.1 - Medium
- February 11, 2022
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.
XSS
CKEditor4 is an open source WYSIWYG HTML editor
CVE-2021-41165
5.4 - Medium
- November 17, 2021
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
XSS
CKEditor4 is an open source WYSIWYG HTML editor
CVE-2021-41164
5.4 - Medium
- November 17, 2021
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
XSS
jQuery-UI is the official jQuery user interface library
CVE-2021-41182
6.1 - Medium
- October 26, 2021
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
XSS
jQuery-UI is the official jQuery user interface library
CVE-2021-41183
6.1 - Medium
- October 26, 2021
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
XSS
jQuery-UI is the official jQuery user interface library
CVE-2021-41184
6.1 - Medium
- October 26, 2021
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
XSS
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input
CVE-2020-13663
8.8 - High
- June 11, 2021
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Session Riding
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way
CVE-2020-13688
6.1 - Medium
- June 11, 2021
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
XSS
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1
CVE-2021-33829
6.1 - Medium
- June 09, 2021
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
XSS
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions
CVE-2020-13667
5.3 - Medium
- May 17, 2021
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
Incorrect Default Permissions
Open Redirect vulnerability in Drupal Core
CVE-2020-13662
6.1 - Medium
- May 05, 2021
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
Open Redirect
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode
CVE-2020-13665
9.8 - Critical
- May 05, 2021
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.