Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v2
  • GPL v3
  • オープンソース
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
61 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
62 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
63 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
64 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
65 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
66 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
67 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
61 9.8
7.5 		CRITICAL
Network 		The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protec… CWE-22
CWE-502
Path Traversal
 Deserialization of Untrusted Data 		CVE-2019-11831 cpe:2.3:a:drupal:drupal:*:* 8.7.0
8.6.0
7.0



8.7.1
8.6.16
7.67 		2024-11-21 13:21
2019-05-9 		Show GitHub Exploit DB Packet Storm
62 6.1
4.3 		MEDIUM
Network 		jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an e… CWE-1321
 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 		CVE-2019-11358 cpe:2.3:a:drupal:drupal:*:* 7.0
8.5.0
8.6.0



7.66
8.5.15
8.6.15 		2024-11-21 13:20
2019-04-20 		Show GitHub Exploit DB Packet Storm
63 5.4
3.5 		MEDIUM
Network 		In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a … CWE-79
Cross-site Scripting 		CVE-2019-6341 cpe:2.3:a:drupal:drupal:*:* 7.0
8.5.0
8.6.0



7.65
8.5.14
8.6.13 		2024-11-21 13:46
2019-03-27 		Show GitHub Exploit DB Packet Storm
64 8.1
6.8 		HIGH
Network 		Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site … CWE-502
 Deserialization of Untrusted Data 		CVE-2019-6340 cpe:2.3:a:drupal:drupal:*:* 8.6.0
8.5.0

8.6.10
8.5.11 		2024-11-21 13:46
2019-02-22 		Show GitHub Exploit DB Packet Storm
65 6.5
4.0 		MEDIUM
Network 		In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpo… CWE-862
 Missing Authorization 		CVE-2017-6923 cpe:2.3:a:drupal:drupal:*:* 8.0.0 8.3.7 2024-11-21 12:30
2019-01-23 		Show GitHub Exploit DB Packet Storm
66 9.8
7.5 		CRITICAL
Network 		In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file opera… CWE-20
 Improper Input Validation  		CVE-2019-6339 cpe:2.3:a:drupal:drupal:*:* 7.0
8.5.0
8.6.0



7.62
8.5.9
8.6.6 		2024-11-21 13:46
2019-01-23 		Show GitHub Exploit DB Packet Storm
67 6.5
4.0 		MEDIUM
Network 		In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visi… CWE-552
 Files or Directories Accessible to External Parties 		CVE-2017-6922 cpe:2.3:a:drupal:drupal:*:* 8.0.0
7.0

8.3.4
7.56 		2024-11-21 12:30
2019-01-23 		Show GitHub Exploit DB Packet Storm
68 8.0
6.0 		HIGH
Network 		In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which … CWE-502
 Deserialization of Untrusted Data 		CVE-2019-6338 cpe:2.3:a:drupal:drupal:*:* 7.0
8.5.0
8.6.0



7.62
8.5.9
8.6.6 		2024-11-21 13:46
2019-01-22 		Show GitHub Exploit DB Packet Storm
69 5.9
4.3 		MEDIUM
Network 		In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) modu… CWE-20
 Improper Input Validation  		CVE-2017-6921 cpe:2.3:a:drupal:drupal:*:* 8.0.0 8.3.4 2024-11-21 12:30
2019-01-16 		Show GitHub Exploit DB Packet Storm
70 7.4
5.8 		HIGH
Network 		In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comme… CWE-269
 Improper Privilege Management 		CVE-2017-6924 cpe:2.3:a:drupal:drupal:*:* 8.0.0 8.3.7 2024-11-21 12:30
2019-01-16 		Show GitHub Exploit DB Packet Storm