Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 254 CRITICAL 12 HIGH 57 MEDIUM 162 LOW 23
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2

Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
41 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 5 1
42 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 23 1
43 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 39 1
44 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 68 8
45 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 61 14
46 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 43 8
47 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 37 7
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
41 6.1
4.3
MEDIUM
Network
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted … CWE-79
Cross-site Scripting
CVE-2021-33829 cpe:2.3:a:drupal:drupal:*:* 9.1.0
9.0.0
8.9.0




9.1.9
9.0.14
8.9.16
2024-11-21 15:09
2021-06-9
Show GitHub Exploit DB Packet Storm
42 5.3
4.3
MEDIUM
Network
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switch… CWE-276
Incorrect Default Permissions 
CVE-2020-13667 cpe:2.3:a:drupal:drupal:*:* 9.0.0
8.9.0
8.8.0




9.0.6
8.9.6
8.8.10
2024-11-21 14:01
2021-05-18
Show GitHub Exploit DB Packet Storm
43 9.8
7.5
CRITICAL
Network
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issu… NVD-CWE-noinfo
CVE-2020-13665 cpe:2.3:a:drupal:drupal:*:* 9.0.0
8.9.0
8.8.0




9.0.1
8.9.1
8.8.8
2024-11-21 14:01
2021-05-6
Show GitHub Exploit DB Packet Storm
44 8.8
9.3
HIGH
Network
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefull… CWE-77
Command Injection
CVE-2020-13664 cpe:2.3:a:drupal:drupal:*:* 9.0.0
8.9.0
8.8.0




9.0.1
8.9.1
8.8.8
2024-11-21 14:01
2021-05-6
Show GitHub Exploit DB Packet Storm
45 6.1
5.8
MEDIUM
Network
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal… CWE-601
Open Redirect
CVE-2020-13662 cpe:2.3:a:drupal:drupal:*:* 7.0 7.70 2024-11-21 14:01
2021-05-6
Show GitHub Exploit DB Packet Storm
46 6.1
4.3
MEDIUM
Network
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.… CWE-79
Cross-site Scripting
CVE-2020-13666 cpe:2.3:a:drupal:drupal:*:* 9.0.0
8.9.0
8.8.0
7.0






9.0.6
8.9.6
8.8.10
7.73
2024-11-21 14:01
2021-05-5
Show GitHub Exploit DB Packet Storm
47 7.5
5.0
HIGH
Network
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. CWE-22
CWE-59
Path Traversal
Link Following
CVE-2020-36193 cpe:2.3:a:drupal:drupal:*:* 9.1.0
9.0.0
7.0
8.9.0






9.1.3
9.0.11
7.78
8.9.13
2024-11-21 14:28
2021-01-19
Show GitHub Exploit DB Packet Storm
48 8.8
6.5
HIGH
Network
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP f… CWE-434
 Unrestricted Upload of File with Dangerous Type 
CVE-2020-13671 cpe:2.3:a:drupal:drupal:*:* 8.8
8.9
9.0
7.0






8.8.11
8.9.9
9.0.8
7.74
2024-11-21 14:01
2020-11-21
Show GitHub Exploit DB Packet Storm
49 7.8
6.8
HIGH
Local
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. CWE-502
 Deserialization of Untrusted Data
CVE-2020-28948 cpe:2.3:a:drupal:drupal:*:* 7.0
8.8.0
8.0.0
9.0.0






7.75
8.8.12
8.9.10
9.0.9
2024-11-21 14:23
2020-11-20
Show GitHub Exploit DB Packet Storm
50 7.8
6.8
HIGH
Local
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. NVD-CWE-noinfo
CVE-2020-28949 cpe:2.3:a:drupal:drupal:*:* 7.0
8.8.0
8.0.0
9.0.0






7.75
8.8.12
8.9.10
9.0.9
2025-03-8 02:12
2020-11-20
Show GitHub Exploit DB Packet Storm