Bitnami/drupal — 67 CVEs

Loading…

All known vulnerabilities

CRITICAL9.8CVE-2026-9082⚠ KEVDrupal core - Highly critical - SQL injection - SA-CORE-2026-004

>= 8.9.0, < 10.4.10, >= 10.5.0, < 10.5.10, >= 10.6.0, < 10.6.9, >= 11.0.0, < 11.1.10, >= 11.2.0, < 11.2.12, >= 11.3.0, < 11.3.10

HIGH8.8CVE-2020-13671⚠ KEVDrupal core Unrestricted Upload of File with Dangerous Type

>= 7.0.0, < 7.74.0, >= 8.8.0, < 8.8.11, >= 8.9.0, < 8.9.9, >= 9.0.0, < 9.0.8

HIGH7.5⚠ KEVphp-pear - security update

>= 7.0.0, < 7.78.0, >= 8.9.0, < 8.9.13, >= 9.0.0, < 9.0.11, >= 9.1.0, < 9.1.3

MEDIUM6.9⚠ KEVPotential XSS vulnerability in jQuery

>= 7.0.0, < 7.70.0, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.6

CRITICAL10.0The Bitnami WordPress Helm chart mounts Kubernetes Secrets under a predictable path (/opt/bitnami/wordpress/secrets) that is located within…

>= 11.1.5-0, < 11.2.2-1

CRITICAL9.8Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008

>= 7.0.0, < 10.3.9

CRITICAL9.8Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007

>= 8.0.0, < 10.3.9, >= 11.0.0, < 11.0.8

CRITICAL9.8Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

>= 8.0.0, < 10.3.9, >= 11.0.0, < 11.0.8

CRITICAL9.8Drupal Core Access bypass vulnerability

>= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1

CRITICAL9.8Unrestricted Upload of File with Dangerous Type in Drupal core

>= 8.0.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6

HIGH8.8Drupal Core Arbitrary PHP code execution vulnerability

>= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1

HIGH8.8drupal7 - security update

>= 7.0.0, < 7.72.0, >= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1

HIGH8.2HTML comments vulnerability allowing to execute JavaScript code

>= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9

HIGH8.2Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

>= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9

HIGH8.1Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004

>= 8.0.0, < 10.3.9, >= 11.0.0, < 11.0.8

HIGH8.0Cross-domain cookie leakage in Guzzle

>= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.14

HIGH7.8php-pear - security update

>= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9

HIGH7.8php-pear - security update

>= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9

HIGH7.5Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003

>= 8.0.0, < 10.4.3, >= 11.0.0, < 11.1.3

HIGH7.5Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

>= 8.0.0, < 10.2.4

HIGH7.5Drupal Denial of Service vulnerability

>= 9.3.6, < 10.2.6

HIGH7.5Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

>= 8.7.0, < 9.5.11, >= 10.0.0, < 10.0.11, >= 10.1.0, < 10.1.4

HIGH7.5php-twig - security update

>= 8.0.0, < 9.3.22, >= 9.4.0, < 9.4.7

HIGH7.5Drupal core Information Disclosure vulnerability

>= 7.0.0, < 7.91.0, >= 8.0.0, < 9.3.19, >= 9.4.0, < 9.4.3

HIGH7.5Fix failure to strip Authorization header on HTTP downgrade in Guzzle

>= 9.2.0, < 9.2.21, >= 9.3.0, < 9.3.16

HIGH7.5Fix failure to strip Authorization header on HTTP downgrade in Guzzle

>= 9.2.0, < 9.2.21, >= 9.3.0, < 9.3.16

HIGH7.5Improper input validation in Drupal core

>= 8.0.0, < 9.2.18, >= 9.3.0, < 9.3.12

HIGH7.5drupal7 - security update

>= 7.0.0, < 7.88.0, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.6

HIGH7.5Drupal core access bypass vulnerability

>= 8.0.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6

HIGH7.5Exposure of Resource to Wrong Sphere in Drupal Core

>= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6

HIGH7.2Drupal core arbitrary PHP code execution

>= 8.0.0, < 9.3.19, >= 9.4.0, < 9.4.3

MEDIUM6.9drupal7 - security update

>= 7.0.0, < 7.70.0, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.6

MEDIUM6.6Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

>= 8.0.0, < 10.5.9, >= 10.6.0, < 10.6.7, >= 11.0.0, < 11.2.11, >= 11.3.0, < 11.3.7

MEDIUM6.5Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

>= 7.0.0, < 7.96.0, >= 9.4.0, < 9.4.14, >= 9.5.0, < 9.5.8, >= 10.0.0, < 10.0.8

MEDIUM6.5Access bypass in Drupal Core

>= 8.0.0, < 9.3.19, >= 9.4.0, < 9.4.3

MEDIUM6.5Incorrect authorization in Drupal core

>= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.6

MEDIUM6.5XSS in `*Text` options of the Datepicker widget in jquery-ui

>= 7.0.0, < 7.86.0, >= 9.2.0, < 9.2.11, >= 9.3.0, < 9.3.3

MEDIUM6.5XSS in the `of` option of the `.position()` util in jquery-ui

>= 7.0.0, < 7.86.0, >= 9.2.0, < 9.2.11, >= 9.3.0, < 9.3.3

MEDIUM6.5jqueryui - security update

>= 7.0.0, < 7.86.0

MEDIUM6.5Incorrect Authorization in Drupal core

>= 8.9.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6

MEDIUM6.5Cross-Site Request Forgery in Drupal core

>= 8.9.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6

MEDIUM6.1Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

>= 11.3.0, < 11.3.7

MEDIUM6.1Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

>= 8.0.0, < 10.5.9, >= 10.6.0, < 10.6.7, >= 11.0.0, < 11.2.11, >= 11.3.0, < 11.3.7

MEDIUM6.1Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

>= 7.0.0, < 10.2.4

MEDIUM6.1Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

>= 8.0.0, < 10.4.3, >= 11.0.0, < 11.1.3

MEDIUM6.1Lack of domain validation in Druple core

>= 9.3.0, < 9.3.19, >= 9.4.0, < 9.4.3

MEDIUM6.1drupal7 - security update

>= 7.0.0, < 7.70.1

MEDIUM6.1Access bypass in Drupal Core 8/9

>= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6

MEDIUM6.1ckeditor - security update

>= 8.9.0, < 8.9.16, >= 9.0.0, < 9.0.14, >= 9.1.0, < 9.1.9

MEDIUM6.1CKEditor 4.0 vulnerability in the HTML Data Processor

>= 8.7.0, < 8.7.12, >= 8.8.0, < 8.8.4

MEDIUM6.1drupal7 - security update

from 0, < 7.80.0, >= 8.9.0, < 8.9.14, >= 9.0.0, < 9.0.12, >= 9.1.0, < 9.1.7

MEDIUM6.1Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor

>= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6

MEDIUM6.1Drupal Core Cross-site scripting vulnerability

>= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6

MEDIUM6.1drupal7 - security update

>= 7.0.0, < 7.73.0, >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6

MEDIUM5.9Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8

MEDIUM5.9Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002

>= 10.0.0, < 10.3.0

MEDIUM5.4Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

>= 8.0.0, < 10.4.5, >= 11.0.0, < 11.1.5

MEDIUM5.4Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

>= 8.8.0, < 10.3.9, >= 11.0.0, < 11.0.8

MEDIUM5.4Access bypass in Drupal core

>= 9.3.0, < 9.3.12

MEDIUM5.4Cross-site Scripting in CKEditor4

>= 8.0.0, < 9.2.15, >= 9.3.0, < 9.3.8

MEDIUM5.4Cross-site Scripting in CKEditor4

>= 8.0.0, < 9.2.15, >= 9.3.0, < 9.3.8

MEDIUM5.3Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8

MEDIUM5.3Improper Input Validation in guzzlehttp/psr7

>= 8.0.0, < 9.2.16, >= 9.3.0, < 9.3.9

MEDIUM5.3Drupal Core Access bypass vulnerability

>= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6

MEDIUM4.6Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002

>= 8.0.0, < 10.4.3, >= 11.0.0, < 11.1.3

MEDIUM4.3Drupal core - Moderately critical - Defacement - SA-CORE-2025-007

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8

LOW3.7Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8

pkg:Bitnami/drupal

✅ Check your installed version

All known vulnerabilities