Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v2
  • GPL v3
  • オープンソース
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
91 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
92 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
93 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
94 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
95 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
96 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
97 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
91 7.5
5.0 		HIGH
Network 		When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. CWE-863
 Incorrect Authorization 		CVE-2017-6377 cpe:2.3:a:drupal:drupal:8.2.6:*
cpe:2.3:a:drupal:drupal:8.2.5:*
cpe:2.3:a:drupal:drupal:8.2.4:*
cpe:2.3:a:drup… 		2024-11-21 12:29
2017-03-16 		Show GitHub Exploit DB Packet Storm
92 6.5
4.3 		MEDIUM
Network 		The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL. CWE-20
 Improper Input Validation  		CVE-2016-9452 cpe:2.3:a:drupal:drupal:8.2.2:*
cpe:2.3:a:drupal:drupal:8.2.1:*
cpe:2.3:a:drupal:drupal:8.2.0:rc2
cpe:2.3:a:dr… 		2024-11-21 12:01
2016-11-26 		Show GitHub Exploit DB Packet Storm
93 6.8
4.9 		MEDIUM
Network 		Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors. CWE-601
Open Redirect 		CVE-2016-9451 cpe:2.3:a:drupal:drupal:7.51:*
cpe:2.3:a:drupal:drupal:7.50:*
cpe:2.3:a:drupal:drupal:7.4:*
cpe:2.3:a:drupal:d… 		2024-11-21 12:01
2016-11-26 		Show GitHub Exploit DB Packet Storm
94 7.5
5.0 		HIGH
Network 		The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. CWE-345
 Insufficient Verification of Data Authenticity 		CVE-2016-9450 cpe:2.3:a:drupal:drupal:8.2.2:*
cpe:2.3:a:drupal:drupal:8.2.1:*
cpe:2.3:a:drupal:drupal:8.2.0:rc2
cpe:2.3:a:dr… 		2024-11-21 12:01
2016-11-26 		Show GitHub Exploit DB Packet Storm
95 4.3
4.0 		MEDIUM
Network 		The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of acc… CWE-200
Information Exposure 		CVE-2016-9449 cpe:2.3:a:drupal:drupal:8.2.2:*
cpe:2.3:a:drupal:drupal:8.2.1:*
cpe:2.3:a:drupal:drupal:8.2.0:rc2
cpe:2.3:a:dr… 		2024-11-21 12:01
2016-11-26 		Show GitHub Exploit DB Packet Storm
96 4.3
4.0 		MEDIUM
Network 		The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions an… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2016-7572 cpe:2.3:a:drupal:drupal:8.1.9:*
cpe:2.3:a:drupal:drupal:8.1.8:*
cpe:2.3:a:drupal:drupal:8.1.7:*
cpe:2.3:a:drup… 		2024-11-21 11:58
2016-10-4 		Show GitHub Exploit DB Packet Storm
97 6.1
4.3 		MEDIUM
Network 		Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. CWE-79
Cross-site Scripting 		CVE-2016-7571 cpe:2.3:a:drupal:drupal:8.1.9:*
cpe:2.3:a:drupal:drupal:8.1.8:*
cpe:2.3:a:drupal:drupal:8.1.7:*
cpe:2.3:a:drup… 		2024-11-21 11:58
2016-10-4 		Show GitHub Exploit DB Packet Storm
98 4.3
4.0 		MEDIUM
Network 		Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging righ… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2016-7570 cpe:2.3:a:drupal:drupal:8.1.9:*
cpe:2.3:a:drupal:drupal:8.1.8:*
cpe:2.3:a:drupal:drupal:8.1.7:*
cpe:2.3:a:drup… 		2024-11-21 11:58
2016-10-4 		Show GitHub Exploit DB Packet Storm
99 5.3
5.0 		MEDIUM
Network 		The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensiti… CWE-200
Information Exposure 		CVE-2016-6212 cpe:2.3:a:drupal:drupal:8.1.2:*
cpe:2.3:a:drupal:drupal:8.1.1:*
cpe:2.3:a:drupal:drupal:8.1.0:rc1
cpe:2.3:a:dr… 		2024-11-21 11:55
2016-09-9 		Show GitHub Exploit DB Packet Storm
100 8.8
6.5 		HIGH
Network 		The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2016-6211 cpe:2.3:a:drupal:drupal:7.x-dev:*
cpe:2.3:a:drupal:drupal:7.9:*
cpe:2.3:a:drupal:drupal:7.8:*
cpe:2.3:a:drupal… 		2024-11-21 11:55
2016-09-9 		Show GitHub Exploit DB Packet Storm