Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 254 CRITICAL 12 HIGH 57 MEDIUM 162 LOW 23
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2

Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
1 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 5 1
2 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 23 1
3 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 39 1
4 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 68 8
5 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 61 14
6 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 43 8
7 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 37 7
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
1 5.4
-
MEDIUM
Network
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core versions: fr… Update CWE-79
Cross-site Scripting
CVE-2026-55808 cpe:2.3:a:drupal:drupal:*:*
10.6.0
11.0.0
11.3.0






10.5.12
10.6.11
11.2.14
11.3.12
2026-07-17 00:02
2026-07-11
Show GitHub Exploit DB Packet Storm
2 3.1
-
LOW
Network
Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from… Update CWE-918
Server-Side Request Forgery (SSRF) 
CVE-2026-55807 cpe:2.3:a:drupal:drupal:*:*
10.6.0
11.0.0
11.3.0






10.5.12
10.6.11
11.2.14
11.3.12
2026-07-16 23:58
2026-07-11
Show GitHub Exploit DB Packet Storm
3 5.9
-
MEDIUM
Network
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11… Update CWE-601
Open Redirect
CVE-2026-55806 cpe:2.3:a:drupal:drupal:*:*
10.6.0
11.0.0
11.3.0






10.5.12
10.6.11
11.2.14
11.3.12
2026-07-17 00:26
2026-07-11
Show GitHub Exploit DB Packet Storm
4 5.9
-
MEDIUM
Network
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5… Update CWE-915
 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-55804 cpe:2.3:a:drupal:drupal:*:*
10.6.0
11.0.0
11.3.0






10.5.12
10.6.11
11.2.14
11.3.12
2026-07-17 00:11
2026-07-11
Show GitHub Exploit DB Packet Storm
5 5.9
-
MEDIUM
Network
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5… Update CWE-915
 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-55803 cpe:2.3:a:drupal:drupal:*:*
10.6.0
11.0.0
11.3.0






10.5.12
10.6.11
11.2.14
11.3.12
2026-07-17 00:09
2026-07-11
Show GitHub Exploit DB Packet Storm
6 9.8
-
CRITICAL
Network
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.… CWE-89
SQL Injection
CVE-2026-9082 cpe:2.3:a:drupal:drupal:*:* 8.9.0
10.5.0
10.6.0
11.0.0
11.2.0
11.3.0










10.4.10
10.5.10
10.6.9
11.1.10
11.2.12
11.3.10
2026-05-23 04:38
2026-05-21
Show GitHub Exploit DB Packet Storm
7 5.3
-
MEDIUM
Network
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. CWE-209
Information Exposure Through an Error Message
CVE-2024-45440 cpe:2.3:a:drupal:drupal:2023-05-09:* 2024-10-29 06:35
2024-08-29
Show GitHub Exploit DB Packet Storm
8 7.5
-
HIGH
Network
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. NVD-CWE-Other
CVE-2024-22362 cpe:2.3:a:drupal:drupal:9.3.6:- 2024-11-21 17:56
2024-01-16
Show GitHub Exploit DB Packet Storm
9 7.5
-
HIGH
Network
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading… NVD-CWE-noinfo
CVE-2023-5256 cpe:2.3:a:drupal:drupal:*:* 10.1.0
10.0.0
8.7.0




10.1.4
10.0.11
9.5.11
2024-11-21 17:41
2023-09-29
Show GitHub Exploit DB Packet Storm
10 6.5
-
MEDIUM
Network
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may… CWE-863
 Incorrect Authorization
CVE-2023-31250 cpe:2.3:a:drupal:drupal:*:* 10.0
9.5
9.4
7.0






10.0.8
9.5.8
9.4.14
7.96
2024-11-21 17:01
2023-04-27
Show GitHub Exploit DB Packet Storm