CRITICAL9.8CVE-2026-9082⚠ KEVDrupal core - Highly critical - SQL injection - SA-CORE-2026-004 >= 8.9.0, < 10.4.10 | >= 10.5.0, < 10.5.10 | >= 10.6.0, < 10.6.9 | >= 11.0.0, < 11.1.10 | >= 11.2.0, < 11.2.12 | >= 11.3.0, < 11.3.10
>= 7.0, < 7.59
CRITICAL9.8⚠ KEVdrupal7 - security update
>= 8.0.0, < 8.4.8 | >= 8.5.0, < 8.5.3
CRITICAL9.8⚠ KEVdrupal7 - security update
>= 7.0, < 7.58
CRITICAL9.8⚠ KEVdrupal7 - security update
>= 8.0.0, < 8.3.9 | >= 8.4.0, < 8.4.6 | >= 8.5.0, < 8.5.1
HIGH8.8⚠ KEVDrupal core Unrestricted Upload of File with Dangerous Type
>= 9.0.0, < 9.0.8
HIGH8.8⚠ KEVDrupal core Unrestricted Upload of File with Dangerous Type
>= 8.0.0, < 8.8.11 | >= 8.9.0, < 8.9.9 | >= 9.0.0, < 9.0.8
HIGH8.1⚠ KEVDrupal Core Remote Code Execution Vulnerability
>= 8.0.0, < 8.5.11 | >= 8.6.0, < 8.6.10
HIGH8.1⚠ KEVDrupal Core Remote Code Execution Vulnerability
>= 8.6.0, < 8.6.10
CRITICAL9.8Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9
CRITICAL9.8Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
>= 8.8.0, < 10.2.11
CRITICAL9.8Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
>= 8.8.0, < 10.2.11
CRITICAL9.8Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
CRITICAL9.8Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
>= 8.8.0, < 10.2.11
CRITICAL9.8Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
CRITICAL9.8Drupal Core Access bypass vulnerability
>= 8.8.0, < 8.8.8
CRITICAL9.8Drupal PECL YAML parser unsafe object handling
>= 8.0, < 8.3.4
CRITICAL9.8Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions
>= 8.0, < 8.3.7
CRITICAL9.8Drupal SQL Injection vulnerability
CRITICAL9.8Unrestricted Upload of File with Dangerous Type in Drupal core
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
CRITICAL9.8Unrestricted Upload of File with Dangerous Type in Drupal core
>= 8.0.0, < 8.9.19
CRITICAL9.8Drupal Improper Access Control
>= 8.7.4, < 8.7.5
CRITICAL9.8Drupal Improper Access Control
>= 8.7.4, < 8.7.5
CRITICAL9.8drupal7 - security update
>= 8.0.0, < 8.6.16 | >= 8.7.0, < 8.7.1
CRITICAL9.8drupal7 - security update
>= 7.0.0, < 7.67.0
CRITICAL9.8drupal7 - security update
>= 7.0.0, < 7.62.0
CRITICAL9.8drupal7 - security update
>= 8.0.0, < 8.5.9 | >= 8.6.0, < 8.6.6
HIGH8.8drupal7 - security update
>= 7.0, < 7.44
HIGH8.8Drupal Core Arbitrary PHP code execution vulnerability
>= 8.0.0, < 8.8.8 | >= 8.9.0, < 8.9.1 | >= 9.0.0, < 9.0.1
HIGH8.8Drupal Core Arbitrary PHP code execution vulnerability
>= 8.8.0, < 8.8.8
HIGH8.8drupal7 - security update
>= 8.9.0, < 8.9.1
HIGH8.8drupal7 - security update
>= 8.0.0, < 8.8.8 | >= 8.9.0, < 8.9.1 | >= 9.0.0, < 9.0.1
HIGH8.1Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
>= 8.0.0, < 10.2.11 | >= 10.3.0, < 10.3.9 | >= 11.0.0, < 11.0.8
HIGH8.1Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
>= 8.0.0, < 10.2.11
HIGH8.1Drupal saving user accounts can sometimes grant the user all roles
>= 6.0, < 6.38
HIGH8.1drupal7 - security update
>= 7.0, < 7.43
HIGH8.1Drupal arbitrary code execution
>= 6.0, < 6.38
HIGH8.1Drupal Comment reply form allows access to restricted content
>= 8.4.0, < 8.4.5
HIGH8.1Drupal access bypass vulnerability
>= 8.4.0, < 8.4.5
HIGH8.1Drupal Remote code execution
>= 8.0, < 8.2.7
HIGH8.1php5 - security update
>= 8.0, < 8.1.7
HIGH8.0Cross-domain cookie leakage in Guzzle
>= 8.0.0, < 9.2.20 | >= 9.3.0, < 9.3.14
HIGH8.0drupal7 - security update
>= 8.0.0, < 8.5.9 | >= 8.6.0, < 8.6.6
HIGH7.8php-pear - security update
>= 8.0.0, < 8.8.12 | >= 8.9.0, < 8.9.10 | >= 9.0.0, < 9.0.9
HIGH7.5Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
>= 8.0.0, < 10.3.13
HIGH7.5Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
>= 8.0.0, < 10.3.13 | >= 10.4.0, < 10.4.3 | >= 11.0.0, < 11.0.12 | >= 11.1.0, < 11.1.3
HIGH7.5Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
>= 10.1.0, < 10.1.8
HIGH7.5Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
>= 8.0.0, < 10.1.8 | >= 10.2.0, < 10.2.2
HIGH7.5Drupal Denial of Service vulnerability
HIGH7.5Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
>= 8.7.0, < 9.5.11
HIGH7.5Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
>= 8.7.0, < 9.5.11 | >= 10.0.0, < 10.0.11 | >= 10.1.0, < 10.1.4
HIGH7.5php-twig - security update
>= 8.0.0, < 9.3.22 | >= 9.4.0, < 9.4.7
HIGH7.5Drupal core Information Disclosure vulnerability
>= 7.0.0, < 7.91
HIGH7.5Drupal core Information Disclosure vulnerability
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
HIGH7.5Fix failure to strip Authorization header on HTTP downgrade in Guzzle
>= 8.0.0, < 9.2.21 | >= 9.3.0, < 9.3.16
HIGH7.5Drupal Form API ignores access restrictions on submit buttons
>= 6.0, < 6.38
HIGH7.5Drupal Brute force amplification attacks via XML-RPC
>= 7.0, < 7.43
HIGH7.5Drupal Incorrect cache context on password reset page
>= 8.0, < 8.2.3
HIGH7.5Drupal Cross-Site Request Forgery (CSRF)
>= 8.2.0, < 8.2.7
HIGH7.5Drupal access control bypass vulnerability
>= 8.0, < 8.2.8
HIGH7.5Drupal editor module incorrectly checks access to inline private files
>= 8.2.0, < 8.2.7
HIGH7.5Improper input validation in Drupal core
>= 8.0.0, < 9.2.18 | >= 9.3.0, < 9.3.12
HIGH7.5Improper input validation in Drupal core
>= 8.0.0, < 9.2.18
HIGH7.5drupal7 - security update
>= 8.0.0, < 9.2.13 | >= 9.3.0, < 9.3.6
HIGH7.5drupal7 - security update
>= 9.3.0, < 9.3.6
HIGH7.5Drupal core access bypass vulnerability
>= 8.0.0, < 8.9.19
HIGH7.5Drupal core access bypass vulnerability
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
HIGH7.5Exposure of Resource to Wrong Sphere in Drupal Core
>= 8.0.0, < 8.8.10 | >= 8.9.0, < 8.9.6 | >= 9.0.0, < 9.0.6
HIGH7.5Exposure of Resource to Wrong Sphere in Drupal Core
>= 8.0.0, < 8.8.10
HIGH7.4Drupal Open Redirect
>= 8.0, < 8.0.4
HIGH7.4Drupal Open redirect vulnerability in the drupal_goto function
>= 6.0, < 6.38
HIGH7.4Drupal REST API can bypass comment approval
>= 8.0, < 8.3.7
HIGH7.2Drupal core arbitrary PHP code execution
>= 8.0.0, < 9.3.19
HIGH7.2Drupal core arbitrary PHP code execution
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
HIGH7.1drupal7 - security update
>= 8.0.0, < 8.9.17 | >= 9.1.0, < 9.1.11 | >= 9.2.0, < 9.2.2
MEDIUM6.8Drupal Open Redirect
>= 7.0, < 7.52
MEDIUM6.6Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
>= 8.0.0, < 10.5.9
MEDIUM6.6Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
>= 8.0.0, < 10.5.9 | >= 10.6.0, < 10.6.7 | >= 11.0.0, < 11.2.11 | >= 11.3.0, < 11.3.7
MEDIUM6.5Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
>= 8.0.0, < 9.4.14 | >= 9.5.0, < 9.5.8 | >= 10.0.0, < 10.0.8
MEDIUM6.5Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
>= 10.0.0, < 10.0.8
MEDIUM6.5Access bypass in Drupal Core
>= 8.0.0, < 9.3.19
MEDIUM6.5Access bypass in Drupal Core
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3
MEDIUM6.5Drupal Denial of service via transliterate mechanism
>= 8.0, < 8.2.3
MEDIUM6.5Drupal Settings Tray access bypass
>= 8.4.0, < 8.4.5
MEDIUM6.5drupal7 - security update
>= 7.0, < 7.56
MEDIUM6.5Incorrect authorization in Drupal core
>= 8.0.0, < 9.2.13 | >= 9.3.0, < 9.3.6
MEDIUM6.5Incorrect authorization in Drupal core
>= 9.3.0, < 9.3.6
MEDIUM6.5Incorrect Authorization in Drupal core
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
MEDIUM6.5Incorrect Authorization in Drupal core
>= 8.0.0, < 8.9.19
MEDIUM6.5Cross-Site Request Forgery in Drupal core
>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
MEDIUM6.5Cross-Site Request Forgery in Drupal core
>= 8.0.0, < 8.9.19
MEDIUM6.5Missing Authorization in Drupal
>= 8.0, < 8.3.7
MEDIUM6.4Drupal Reflected file download vulnerability
>= 6.0, < 6.38
MEDIUM6.1Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
>= 11.3.0, < 11.3.7
MEDIUM6.1Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
>= 11.3.0, < 11.3.7
MEDIUM6.1Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
>= 8.0.0, < 10.5.9 | >= 10.6.0, < 10.6.7 | >= 11.0.0, < 11.2.11 | >= 11.3.0, < 11.3.7
MEDIUM6.1Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
>= 8.0.0, < 10.5.9
MEDIUM6.1Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
>= 8.0.0, < 10.3.13
MEDIUM6.1Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
>= 8.0.0, < 10.3.13 | >= 10.4.0, < 10.4.3 | >= 11.0.0, < 11.0.12 | >= 11.1.0, < 11.1.3
MEDIUM6.1Lack of domain validation in Druple core
>= 8.0.0, < 9.3.19 | >= 9.4.0, < 9.4.3