Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 254 CRITICAL 12 HIGH 57 MEDIUM 162 LOW 23
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2

Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
211 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 5 1
212 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 23 1
213 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 39 1
214 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 68 8
215 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 61 14
216 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 43 8
217 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 37 7
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
211 -
3.5
LOW Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms. CWE-79
Cross-site Scripting
CVE-2008-1131 cpe:2.3:a:drupal:drupal:6.0:* 2026-04-23 09:35
2008-03-4
Show GitHub Exploit DB Packet Storm
212 -
4.3
MEDIUM Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users. CWE-352
 Origin Validation Error
CVE-2008-0272 cpe:2.3:a:drupal:drupal:5.5.:*
cpe:2.3:a:drupal:drupal:5.4:*
cpe:2.3:a:drupal:drupal:5.3:*
cpe:2.3:a:drupal:dr…
2026-04-23 09:35
2008-01-16
Show GitHub Exploit DB Packet Storm
213 -
4.3
MEDIUM Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byt… CWE-79
Cross-site Scripting
CVE-2008-0273 cpe:2.3:a:drupal:drupal:5.5.:*
cpe:2.3:a:drupal:drupal:5.4:*
cpe:2.3:a:drupal:drupal:5.3:*
cpe:2.3:a:drupal:dr…
2026-04-23 09:35
2008-01-16
Show GitHub Exploit DB Packet Storm
214 -
2.6
LOW Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links inv… CWE-79
Cross-site Scripting
CVE-2008-0274 cpe:2.3:a:drupal:drupal:5.0:*
cpe:2.3:a:drupal:drupal:4.7:*
2026-04-23 09:35
2008-01-16
Show GitHub Exploit DB Packet Storm
215 -
4.3
MEDIUM Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping … CWE-79
Cross-site Scripting
CVE-2008-0276 cpe:2.3:a:drupal:drupal:5.5.:*
cpe:2.3:a:drupal:drupal:5.4:*
cpe:2.3:a:drupal:drupal:5.3:*
cpe:2.3:a:drupal:dr…
2026-04-23 09:35
2008-01-16
Show GitHub Exploit DB Packet Storm
216 -
7.5
HIGH Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonom… CWE-20
CWE-89
 Improper Input Validation 
SQL Injection
CVE-2007-6299 cpe:2.3:a:drupal:drupal:5.2:*
cpe:2.3:a:drupal:drupal:5.1_rev1.1:*
cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:dru…
2026-04-23 09:35
2007-12-11
Show GitHub Exploit DB Packet Storm
217 -
3.5
LOW Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, No… CWE-79
Cross-site Scripting
CVE-2007-5621 cpe:2.3:a:drupal:drupal:5.2:*
cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:*
cpe:2.3:a:drupal:dru…
2026-04-23 09:35
2007-10-23
Show GitHub Exploit DB Packet Storm
218 -
6.8
MEDIUM install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified. CWE-94
Code Injection
CVE-2007-5593 cpe:2.3:a:drupal:drupal:*:* 5.0 5.3 2026-04-23 09:35
2007-10-20
Show GitHub Exploit DB Packet Storm
219 -
4.3
MEDIUM Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. CWE-352
 Origin Validation Error
CVE-2007-5594 cpe:2.3:a:drupal:drupal:*:* 5.0 5.3 2026-04-23 09:35
2007-10-20
Show GitHub Exploit DB Packet Storm
220 -
5.1
MEDIUM CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP … CWE-113
HTTP Response Splitting
CVE-2007-5595 cpe:2.3:a:drupal:drupal:*:* 4.7.0
5.0


4.7.8
5.3
2026-04-23 09:35
2007-10-20
Show GitHub Exploit DB Packet Storm