Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 254 CRITICAL 12 HIGH 57 MEDIUM 162 LOW 23
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2

Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
51 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 5 1
52 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 23 1
53 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 39 1
54 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 68 8
55 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 61 14
56 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 43 8
57 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 37 7
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
51 9.8
6.8
CRITICAL
Network
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release oth… NVD-CWE-noinfo
CVE-2019-6342 cpe:2.3:a:drupal:drupal:8.7.4:* 2024-11-21 13:46
2020-05-29
Show GitHub Exploit DB Packet Storm
52 6.1
4.3
MEDIUM
Network
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may… CWE-79
Cross-site Scripting
CVE-2020-11022 cpe:2.3:a:drupal:drupal:*:* 7.0
8.7.0
8.8.0




7.70
8.7.14
8.8.6
2026-04-14 00:16
2020-04-30
Show GitHub Exploit DB Packet Storm
53 6.1
4.3
MEDIUM
Network
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation m… - CVE-2020-11023 cpe:2.3:a:drupal:drupal:*:* 7.0
8.7.0
8.8.0




7.70
8.7.14
8.8.6
2024-11-21 13:56
2020-04-30
Show GitHub Exploit DB Packet Storm
54 6.1
4.3
MEDIUM
Network
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with t… CWE-79
Cross-site Scripting
CVE-2020-9281 cpe:2.3:a:drupal:drupal:*:* 8.8.0
8.7.0


8.8.4
8.7.12
2024-11-21 14:40
2020-03-7
Show GitHub Exploit DB Packet Storm
55 9.8
7.5
CRITICAL
Network
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. CWE-89
SQL Injection
CVE-2011-2715 cpe:2.3:a:drupal:drupal:6.20:* 2024-11-21 10:28
2020-01-15
Show GitHub Exploit DB Packet Storm
56 6.1
4.3
MEDIUM
Network
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. CWE-79
Cross-site Scripting
CVE-2011-2714 cpe:2.3:a:drupal:drupal:6.20:* 2024-11-21 10:28
2020-01-15
Show GitHub Exploit DB Packet Storm
57 7.5
5.0
HIGH
Network
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individua… CWE-863
 Incorrect Authorization
CVE-2011-2726 cpe:2.3:a:drupal:drupal:*:* 7.0 7.5 2024-11-21 10:28
2019-11-16
Show GitHub Exploit DB Packet Storm
58 6.5
3.5
MEDIUM
Network
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal s… CWE-20
 Improper Input Validation 
CVE-2010-2473 cpe:2.3:a:drupal:drupal:*:* 6.0
5.0


6.16
5.22
2024-11-21 10:16
2019-11-8
Show GitHub Exploit DB Packet Storm
59 4.8
3.5
MEDIUM
Network
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which c… CWE-79
Cross-site Scripting
CVE-2010-2472 cpe:2.3:a:drupal:drupal:*:* 6.0
5.0


6.16
5.22
2024-11-21 10:16
2019-11-8
Show GitHub Exploit DB Packet Storm
60 6.1
4.3
MEDIUM
Network
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. CWE-79
Cross-site Scripting
CVE-2010-2250 cpe:2.3:a:drupal:drupal:*:* 6.0
5.0


6.16
5.22
2024-11-21 10:16
2019-11-8
Show GitHub Exploit DB Packet Storm