Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 254 CRITICAL 12 HIGH 57 MEDIUM 162 LOW 23
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2

Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
11 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 5 1
12 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 23 1
13 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 39 1
14 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 68 8
15 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 61 14
16 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 43 8
17 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 37 7
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
11 6.5
-
MEDIUM
Network
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by … NVD-CWE-noinfo
CVE-2022-25278 cpe:2.3:a:drupal:drupal:*:* 9.4.0
8.0.0


9.4.3
9.3.19
2024-11-21 15:51
2023-04-27
Show GitHub Exploit DB Packet Storm
12 6.1
-
MEDIUM
Network
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could l… CWE-79
Cross-site Scripting
CVE-2022-25276 cpe:2.3:a:drupal:drupal:*:* 9.4.0
9.3.0


9.4.3
9.3.19
2024-11-21 15:51
2023-04-27
Show GitHub Exploit DB Packet Storm
13 7.2
-
HIGH
Network
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files… CWE-434
 Unrestricted Upload of File with Dangerous Type 
CVE-2022-25277 cpe:2.3:a:drupal:drupal:*:* 9.4.0
8.0.0


9.4.3
9.3.19
2024-11-21 15:51
2023-04-27
Show GitHub Exploit DB Packet Storm
14 7.5
-
HIGH
Network
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. … NVD-CWE-Other
CVE-2022-25275 cpe:2.3:a:drupal:drupal:*:* 8.0.0
7.0
9.4.0




9.3.19
7.91
9.4.3
2024-11-21 15:51
2023-04-26
Show GitHub Exploit DB Packet Storm
15 5.4
-
MEDIUM
Network
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users … CWE-863
 Incorrect Authorization
CVE-2022-25274 cpe:2.3:a:drupal:drupal:*:* 9.3.0 9.3.12 2024-11-21 15:51
2023-04-26
Show GitHub Exploit DB Packet Storm
16 7.5
-
HIGH
Network
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values … CWE-20
 Improper Input Validation 
CVE-2022-25273 cpe:2.3:a:drupal:drupal:*:* 9.3.0
8.0.0


9.3.12
9.2.18
2024-11-21 15:51
2023-04-26
Show GitHub Exploit DB Packet Storm
17 7.5
-
HIGH
Network
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… CWE-22
Path Traversal
CVE-2022-39261 cpe:2.3:a:drupal:drupal:*:* 9.4.0
8.0.0


9.4.7
9.3.22
2024-11-21 16:17
2022-09-28
Show GitHub Exploit DB Packet Storm
18 7.5
5.0
HIGH
Network
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds w… CWE-212
 Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2022-31043 cpe:2.3:a:drupal:drupal:9.4.0:rc1
cpe:2.3:a:drupal:drupal:9.4.0:beta1
cpe:2.3:a:drupal:drupal:9.4.0:alpha1
cpe…
9.3.0
9.2.0


9.3.16
9.2.21
2024-11-21 16:03
2022-06-10
Show GitHub Exploit DB Packet Storm
19 7.5
5.0
HIGH
Network
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with… CWE-212
 Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2022-31042 cpe:2.3:a:drupal:drupal:9.4.0:rc1
cpe:2.3:a:drupal:drupal:9.4.0:beta1
cpe:2.3:a:drupal:drupal:9.4.0:alpha1
cpe…
9.3.0
9.2.0


9.3.16
9.2.21
2024-11-21 16:03
2022-06-10
Show GitHub Exploit DB Packet Storm
20 8.1
5.8
HIGH
Network
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the … CWE-565
 Reliance on Cookies without Validation and Integrity Checking
CVE-2022-29248 cpe:2.3:a:drupal:drupal:*:* 9.2.0
9.3.0


9.2.20
9.3.14
2024-11-21 15:58
2022-05-26
Show GitHub Exploit DB Packet Storm