Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 248 CRITICAL 11 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • オープンソース
  • GPL v2
  • GPL v3
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
1 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 0 1 1 0
2 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 2 20 19 0
3 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 10 29 35 0
4 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
5 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
6 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
7 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
1 5.3
- 		MEDIUM
Network 		core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. CWE-209
Information Exposure Through an Error Message 		CVE-2024-45440 cpe:2.3:a:drupal:drupal:2023-05-09:* 2024-10-29 06:35
2024-08-29 		Show GitHub Exploit DB Packet Storm
2 7.5
- 		HIGH
Network 		Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. NVD-CWE-Other
CVE-2024-22362 cpe:2.3:a:drupal:drupal:9.3.6:- 2024-11-21 17:56
2024-01-16 		Show GitHub Exploit DB Packet Storm
3 7.5
- 		HIGH
Network 		In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading… NVD-CWE-noinfo
CVE-2023-5256 cpe:2.3:a:drupal:drupal:*:* 10.1.0
10.0.0
8.7.0



10.1.4
10.0.11
9.5.11 		2024-11-21 17:41
2023-09-29 		Show GitHub Exploit DB Packet Storm
4 6.5
- 		MEDIUM
Network 		The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may… CWE-863
 Incorrect Authorization 		CVE-2023-31250 cpe:2.3:a:drupal:drupal:*:* 10.0
9.5
9.4
7.0





10.0.8
9.5.8
9.4.14
7.96 		2024-11-21 17:01
2023-04-27 		Show GitHub Exploit DB Packet Storm
5 6.5
- 		MEDIUM
Network 		Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by … NVD-CWE-noinfo
CVE-2022-25278 cpe:2.3:a:drupal:drupal:*:* 9.4.0
8.0.0

9.4.3
9.3.19 		2024-11-21 15:51
2023-04-27 		Show GitHub Exploit DB Packet Storm
6 6.1
- 		MEDIUM
Network 		The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could l… CWE-79
Cross-site Scripting 		CVE-2022-25276 cpe:2.3:a:drupal:drupal:*:* 9.4.0
9.3.0

9.4.3
9.3.19 		2024-11-21 15:51
2023-04-27 		Show GitHub Exploit DB Packet Storm
7 7.2
- 		HIGH
Network 		Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files… CWE-434
 Unrestricted Upload of File with Dangerous Type  		CVE-2022-25277 cpe:2.3:a:drupal:drupal:*:* 9.4.0
8.0.0

9.4.3
9.3.19 		2024-11-21 15:51
2023-04-27 		Show GitHub Exploit DB Packet Storm
8 7.5
- 		HIGH
Network 		In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. … NVD-CWE-Other
CVE-2022-25275 cpe:2.3:a:drupal:drupal:*:* 8.0.0
7.0
9.4.0



9.3.19
7.91
9.4.3 		2024-11-21 15:51
2023-04-26 		Show GitHub Exploit DB Packet Storm
9 5.4
- 		MEDIUM
Network 		Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users … CWE-863
 Incorrect Authorization 		CVE-2022-25274 cpe:2.3:a:drupal:drupal:*:* 9.3.0 9.3.12 2024-11-21 15:51
2023-04-26 		Show GitHub Exploit DB Packet Storm
10 7.5
- 		HIGH
Network 		Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values … CWE-20
 Improper Input Validation  		CVE-2022-25273 cpe:2.3:a:drupal:drupal:*:* 9.3.0
8.0.0

9.3.12
9.2.18 		2024-11-21 15:51
2023-04-26 		Show GitHub Exploit DB Packet Storm