Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
191 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
192 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
193 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
194 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
195 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
196 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
197 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
191 -
3.5 		LOW The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks b… CWE-79
Cross-site Scripting 		CVE-2008-3741 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2008-08-28 		Show GitHub Exploit DB Packet Storm
192 -
6.5 		MEDIUM Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an execu… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2008-3742 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2008-08-28 		Show GitHub Exploit DB Packet Storm
193 -
5.8 		MEDIUM Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token valid… CWE-352
 Origin Validation Error 		CVE-2008-3743 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2008-08-28 		Show GitHub Exploit DB Packet Storm
194 -
5.8 		MEDIUM Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add… CWE-352
 Origin Validation Error 		CVE-2008-3744 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2008-08-28 		Show GitHub Exploit DB Packet Storm
195 -
5.5 		MEDIUM The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2008-3745 cpe:2.3:a:drupal:drupal:6.3:*
cpe:2.3:a:drupal:drupal:6.2:*
cpe:2.3:a:drupal:drupal:6.1:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2008-08-28 		Show GitHub Exploit DB Packet Storm
196 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, whic… CWE-79
Cross-site Scripting 		CVE-2008-3218 cpe:2.3:a:drupal:drupal:*:* 6.0 6.3 2026-04-23 09:35
2008-07-19 		Show GitHub Exploit DB Packet Storm
197 -
4.3 		MEDIUM The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably r… CWE-79
Cross-site Scripting 		CVE-2008-3219 cpe:2.3:a:drupal:drupal:*:* 5.0
6.0

5.8
6.3 		2026-04-23 09:35
2008-07-19 		Show GitHub Exploit DB Packet Storm
198 -
4.3 		MEDIUM Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated str… CWE-352
 Origin Validation Error 		CVE-2008-3220 cpe:2.3:a:drupal:drupal:*:* 5.0
6.0

5.8
6.3 		2026-04-23 09:35
2008-07-19 		Show GitHub Exploit DB Packet Storm
199 -
4.3 		MEDIUM Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. CWE-352
 Origin Validation Error 		CVE-2008-3221 cpe:2.3:a:drupal:drupal:*:* 6.0 6.3 2026-04-23 09:35
2008-07-19 		Show GitHub Exploit DB Packet Storm
200 -
5.8 		MEDIUM Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessio… CWE-384
 Session Fixation 		CVE-2008-3222 cpe:2.3:a:drupal:drupal:*:* 5.0
6.0

5.9
6.3 		2026-04-23 09:35
2008-07-19 		Show GitHub Exploit DB Packet Storm