Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v2
  • GPL v3
  • オープンソース
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
121 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
122 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
123 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
124 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
125 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
126 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
127 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
121 -
3.5 		LOW Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a craf… CWE-284
Improper Access Control 		CVE-2015-2559 cpe:2.3:a:drupal:drupal:*:* 6.0
7.0

6.35
7.35 		2024-11-21 11:27
2015-03-25 		Show GitHub Exploit DB Packet Storm
122 6.1
4.3 		MEDIUM
Network 		Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. CWE-79
Cross-site Scripting 		CVE-2010-5312 cpe:2.3:a:drupal:drupal:*:* 7.0 7.86 2024-11-21 10:23
2014-11-25 		Show GitHub Exploit DB Packet Storm
123 -
5.0 		MEDIUM The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and m… NVD-CWE-noinfo
CVE-2014-9016 cpe:2.3:a:drupal:drupal:*:* 7.0 7.34 2024-11-21 11:20
2014-11-25 		Show GitHub Exploit DB Packet Storm
124 -
6.8 		MEDIUM Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS session… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2014-9015 cpe:2.3:a:drupal:drupal:*:* 6.0
7.0

6.34
7.34 		2024-11-21 11:20
2014-11-25 		Show GitHub Exploit DB Packet Storm
125 -
7.5 		HIGH The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection att… CWE-89
SQL Injection 		CVE-2014-3704 cpe:2.3:a:drupal:drupal:*:* 7.0 7.32 2024-11-21 11:08
2014-10-16 		Show GitHub Exploit DB Packet Storm
126 -
6.8 		MEDIUM modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2014-5267 cpe:2.3:a:drupal:drupal:7.9:*
cpe:2.3:a:drupal:drupal:7.8:*
cpe:2.3:a:drupal:drupal:7.7:*
cpe:2.3:a:drupal:dru… 		2024-11-21 11:11
2014-09-30 		Show GitHub Exploit DB Packet Storm
127 -
5.0 		MEDIUM The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote atta… CWE-399
 Resource Management Errors 		CVE-2014-5266 cpe:2.3:a:drupal:drupal:7.x-dev:*
cpe:2.3:a:drupal:drupal:7.9:*
cpe:2.3:a:drupal:drupal:7.8:*
cpe:2.3:a:drupal… 		2024-11-21 11:11
2014-08-18 		Show GitHub Exploit DB Packet Storm
128 -
5.0 		MEDIUM The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion,… CWE-399
 Resource Management Errors 		CVE-2014-5265 cpe:2.3:a:drupal:drupal:7.x-dev:*
cpe:2.3:a:drupal:drupal:7.9:*
cpe:2.3:a:drupal:drupal:7.8:*
cpe:2.3:a:drupal… 		2024-11-21 11:11
2014-08-18 		Show GitHub Exploit DB Packet Storm
129 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled t… CWE-79
Cross-site Scripting 		CVE-2014-5022 cpe:2.3:a:drupal:drupal:7.x-dev:*
cpe:2.3:a:drupal:drupal:7.9:*
cpe:2.3:a:drupal:drupal:7.8:*
cpe:2.3:a:drupal… 		2024-11-21 11:11
2014-07-22 		Show GitHub Exploit DB Packet Storm
130 -
2.1 		LOW Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject a… CWE-79
Cross-site Scripting 		CVE-2014-5021 cpe:2.3:a:drupal:drupal:7.x-dev:*
cpe:2.3:a:drupal:drupal:7.9:*
cpe:2.3:a:drupal:drupal:7.8:*
cpe:2.3:a:drupal… 		2024-11-21 11:11
2014-07-22 		Show GitHub Exploit DB Packet Storm