Exposure of Drupal

CMS

259

exposure score

100,544

sites use

4

exploited

8

critical

CVEs

84 results

CVE-2018-7600CRITICALDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because oEPSS 100.0%KEV CVE-2019-6340HIGHDrupal core - Highly critical - Remote Code ExecutionEPSS 91.9%KEV CVE-2026-9082CRITICALDrupal core - Highly critical - SQL injection - SA-CORE-2026-004EPSS 84.6%KEV CVE-2020-13671HIGHDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extenEPSS 4.3%KEV CVE-2019-6339—PHAR stream wrapper Arbitrary PHP code executionEPSS 33.2%CVE-2017-6920—Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects sEPSS 20.5%CVE-2019-6341—Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004EPSS 12.4%CVE-2024-45440MEDIUMcore/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_coEPSS 9.3%CVE-2017-6381—A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated bEPSS 3.9%CVE-2020-13664—Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visitinEPSS 3.0%CVE-2020-13666—Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issueEPSS 2.9%CVE-2019-6338—third-party PEAR Archive_Tar library updatesEPSS 2.3%CVE-2017-6924—REST API can bypass comment approval - Access Bypass - Moderately CriticalEPSS 2.1%CVE-2017-6922—Files uploaded by anonymous users into a private file system can be accessed by other anonymous usersEPSS 1.9%CVE-2017-6377—When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attachEPSS 1.9%CVE-2017-6921—File REST resource does not properly validateEPSS 1.8%CVE-2011-4972—hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not properly restrict access to private files, which allows remote attackeEPSS 1.7%CVE-2017-6927—Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escapeEPSS 1.7%CVE-2017-6923—Access bypass in Drupal 8 viewsEPSS 1.6%CVE-2017-6919—Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module isEPSS 1.6%

← previouspage 1 / 5next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →