Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v2
  • GPL v3
  • オープンソース
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
181 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
182 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
183 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
184 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
185 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
186 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
187 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
181 -
6.8 		MEDIUM Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser v… CWE-352
 Origin Validation Error 		CVE-2008-6532 cpe:2.3:a:drupal:drupal:6.6:*
cpe:2.3:a:drupal:drupal:6.5:*
cpe:2.3:a:drupal:drupal:6.4:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2009-03-27 		Show GitHub Exploit DB Packet Storm
182 -
9.3 		HIGH includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the… CWE-16
CWE-20
Configuration
 Improper Input Validation  		CVE-2008-6171 cpe:2.3:a:drupal:drupal:6.5:*
cpe:2.3:a:drupal:drupal:6.4:*
cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2009-02-20 		Show GitHub Exploit DB Packet Storm
183 -
3.5 		LOW Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbi… CWE-79
Cross-site Scripting 		CVE-2008-6170 cpe:2.3:a:drupal:drupal:6.5:*
cpe:2.3:a:drupal:drupal:6.4:*
cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2009-02-20 		Show GitHub Exploit DB Packet Storm
184 -
7.5 		HIGH The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules. CWE-264
NVD-CWE-noinfo
Permissions, Privileges, and Access Controls 		CVE-2008-4793 cpe:2.3:a:drupal:drupal:5.9:*
cpe:2.3:a:drupal:drupal:5.8:*
cpe:2.3:a:drupal:drupal:5.7:*
cpe:2.3:a:drupal:dru… 		5.10 2026-04-23 09:35
2008-10-30 		Show GitHub Exploit DB Packet Storm
185 -
6.0 		MEDIUM The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypas… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2008-4792 cpe:2.3:a:drupal:drupal:*:* 5.0
6.0

5.11
6.5 		2026-04-23 09:35
2008-10-30 		Show GitHub Exploit DB Packet Storm
186 -
6.0 		MEDIUM The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2008-4791 cpe:2.3:a:drupal:drupal:*:* 5.0
6.0

5.11
6.5 		2026-04-23 09:35
2008-10-30 		Show GitHub Exploit DB Packet Storm
187 -
6.0 		MEDIUM The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2008-4790 cpe:2.3:a:drupal:drupal:5.9:*
cpe:2.3:a:drupal:drupal:5.8:*
cpe:2.3:a:drupal:drupal:5.7:*
cpe:2.3:a:drupal:dru… 		5.10 2026-04-23 09:35
2008-10-30 		Show GitHub Exploit DB Packet Storm
188 -
6.0 		MEDIUM The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "l… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2008-4789 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		6.4 2026-04-23 09:35
2008-10-30 		Show GitHub Exploit DB Packet Storm
189 -
5.0 		MEDIUM Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers … NVD-CWE-Other
CVE-2008-3661 cpe:2.3:a:drupal:drupal:6.4:*
cpe:2.3:a:drupal:drupal:5.10:* 		2026-04-23 09:35
2008-09-24 		Show GitHub Exploit DB Packet Storm
190 -
4.3 		MEDIUM Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CWE-79
Cross-site Scripting 		CVE-2008-3740 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2008-08-28 		Show GitHub Exploit DB Packet Storm