Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 254 CRITICAL 12 HIGH 57 MEDIUM 162 LOW 23
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2

Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
221 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 5 1
222 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 23 1
223 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 39 1
224 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 68 8
225 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 61 14
226 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 43 8
227 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 37 7
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
221 -
4.3
MEDIUM The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by upload… CWE-79
Cross-site Scripting
CVE-2007-5596 cpe:2.3:a:drupal:drupal:*:* 4.7.0
5.0


4.7.8
5.3
2026-04-23 09:35
2007-10-20
Show GitHub Exploit DB Packet Storm
222 -
4.3
MEDIUM The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished c… CWE-264
Permissions, Privileges, and Access Controls
CVE-2007-5597 cpe:2.3:a:drupal:drupal:*:* 4.7.0
5.0


4.7.8
5.3
2026-04-23 09:35
2007-10-20
Show GitHub Exploit DB Packet Storm
223 -
6.8
MEDIUM Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers t… CWE-189
Numeric Errors
CVE-2007-5416 cpe:2.3:a:drupal:drupal:*:* 5.2 2026-04-23 09:35
2007-10-13
Show GitHub Exploit DB Packet Storm
224 -
4.3
MEDIUM Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileg… NVD-CWE-Other
CVE-2007-4063 cpe:2.3:a:drupal:drupal:5.1_rev1.1:*
cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:*
2026-04-23 09:35
2007-07-31
Show GitHub Exploit DB Packet Storm
225 -
4.3
MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via "some server variables," in… CWE-79
Cross-site Scripting
CVE-2007-4064 cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:*
cpe:2.3:a:drupal:drupal:4.7_rev1.15:*
cpe:2.3:a:dr…
2026-04-23 09:35
2007-07-31
Show GitHub Exploit DB Packet Storm
226 -
5.0
MEDIUM The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the … NVD-CWE-Other
CVE-2007-0658 cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:*
cpe:2.3:a:drupal:drupal:4.7_rev1.15:*
cpe:2.3:a:dr…
2026-04-23 09:35
2007-02-2
Show GitHub Exploit DB Packet Storm
227 -
6.5
MEDIUM The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input … NVD-CWE-noinfo
CVE-2007-0626 cpe:2.3:a:drupal:drupal:*:*
5.0

4.7.0
4.7.6
5.1
2026-04-23 09:35
2007-02-1
Show GitHub Exploit DB Packet Storm
228 -
4.3
MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) … CWE-79
Cross-site Scripting
CVE-2007-0136 cpe:2.3:a:drupal:drupal:*:* 4.6.0
4.7.0


4.6.11
4.7.5
2026-04-23 09:35
2007-01-9
Show GitHub Exploit DB Packet Storm
229 -
3.5
LOW Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified… NVD-CWE-Other
CVE-2007-0124 cpe:2.3:a:drupal:drupal:4.7:*
cpe:2.3:a:drupal:drupal:4.7.4:*
cpe:2.3:a:drupal:drupal:4.7.3:*
cpe:2.3:a:drupal…
2026-04-23 09:35
2007-01-9
Show GitHub Exploit DB Packet Storm
230 -
6.8
MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted … NVD-CWE-Other
CVE-2006-5475 cpe:2.3:a:drupal:drupal:4.7.3:*
cpe:2.3:a:drupal:drupal:4.7.2:*
cpe:2.3:a:drupal:drupal:4.7.1:*
cpe:2.3:a:drup…
2026-04-23 09:35
2006-10-25
Show GitHub Exploit DB Packet Storm