Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v2
  • GPL v3
  • オープンソース
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
41 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
42 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
43 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
44 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
45 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
46 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
47 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
41 6.1
4.3 		MEDIUM
Network 		Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.… CWE-79
Cross-site Scripting 		CVE-2020-13666 cpe:2.3:a:drupal:drupal:*:* 9.0.0
8.9.0
8.8.0
7.0





9.0.6
8.9.6
8.8.10
7.73 		2024-11-21 14:01
2021-05-5 		Show GitHub Exploit DB Packet Storm
42 7.5
5.0 		HIGH
Network 		Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. CWE-22
CWE-59
Path Traversal
Link Following 		CVE-2020-36193 cpe:2.3:a:drupal:drupal:*:* 9.1.0
9.0.0
7.0
8.9.0





9.1.3
9.0.11
7.78
8.9.13 		2024-11-21 14:28
2021-01-19 		Show GitHub Exploit DB Packet Storm
43 8.8
6.5 		HIGH
Network 		Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP f… CWE-434
 Unrestricted Upload of File with Dangerous Type  		CVE-2020-13671 cpe:2.3:a:drupal:drupal:*:* 8.8
8.9
9.0
7.0





8.8.11
8.9.9
9.0.8
7.74 		2024-11-21 14:01
2020-11-21 		Show GitHub Exploit DB Packet Storm
44 7.8
6.8 		HIGH
Local 		Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. CWE-502
 Deserialization of Untrusted Data 		CVE-2020-28948 cpe:2.3:a:drupal:drupal:*:* 7.0
8.8.0
8.0.0
9.0.0





7.75
8.8.12
8.9.10
9.0.9 		2024-11-21 14:23
2020-11-20 		Show GitHub Exploit DB Packet Storm
45 7.8
6.8 		HIGH
Local 		Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. NVD-CWE-noinfo
CVE-2020-28949 cpe:2.3:a:drupal:drupal:*:* 7.0
8.8.0
8.0.0
9.0.0





7.75
8.8.12
8.9.10
9.0.9 		2025-03-8 02:12
2020-11-20 		Show GitHub Exploit DB Packet Storm
46 9.8
6.8 		CRITICAL
Network 		An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release oth… NVD-CWE-noinfo
CVE-2019-6342 cpe:2.3:a:drupal:drupal:8.7.4:* 2024-11-21 13:46
2020-05-29 		Show GitHub Exploit DB Packet Storm
47 6.1
4.3 		MEDIUM
Network 		In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may… CWE-79
Cross-site Scripting 		CVE-2020-11022 cpe:2.3:a:drupal:drupal:*:* 7.0
8.7.0
8.8.0



7.70
8.7.14
8.8.6 		2026-04-14 00:16
2020-04-30 		Show GitHub Exploit DB Packet Storm
48 6.1
4.3 		MEDIUM
Network 		In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation m… - CVE-2020-11023 cpe:2.3:a:drupal:drupal:*:* 7.0
8.7.0
8.8.0



7.70
8.7.14
8.8.6 		2024-11-21 13:56
2020-04-30 		Show GitHub Exploit DB Packet Storm
49 6.1
4.3 		MEDIUM
Network 		A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with t… CWE-79
Cross-site Scripting 		CVE-2020-9281 cpe:2.3:a:drupal:drupal:*:* 8.8.0
8.7.0

8.8.4
8.7.12 		2024-11-21 14:40
2020-03-7 		Show GitHub Exploit DB Packet Storm
50 9.8
7.5 		CRITICAL
Network 		An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. CWE-89
SQL Injection 		CVE-2011-2715 cpe:2.3:a:drupal:drupal:6.20:* 2024-11-21 10:28
2020-01-15 		Show GitHub Exploit DB Packet Storm