ReportizFlow
Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
758 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9082 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-23 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | ||||
| CVE-2026-6365 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | ||||
| CVE-2026-6366 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-21 | 6.6 Medium |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | ||||
| CVE-2026-6367 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7. | ||||
| CVE-2009-1505 | 1 Drupal | 2 Drupal, News Page | 2026-04-23 | N/A |
| SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands via the Include Words (aka keywords) field. | ||||
| CVE-2009-4371 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form. | ||||
| CVE-2009-3488 | 2 Drupal, Ron Jerome | 2 Drupal, Bibliography | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Bibliography (aka Biblio) module 6.x-1.6 for Drupal allows remote authenticated users, with certain content-creation privileges, to inject arbitrary web script or HTML via the Title field, probably a different vulnerability than CVE-2009-3479. | ||||
| CVE-2008-6383 | 1 Drupal | 2 Drupal, Storm | 2026-04-23 | N/A |
| SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands via unspecified vectors. | ||||
| CVE-2009-3207 | 2 Drewish, Drupal | 2 Imagecache, Drupal | 2026-04-23 | N/A |
| The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, when the private file system is used, does not properly perform access control for derivative images, which allows remote attackers to view arbitrary images via a request that specifies an image's filename. | ||||
| CVE-2008-3220 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2026-04-23 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." | ||||
| CVE-2008-3221 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2026-04-23 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. | ||||
| CVE-2009-3351 | 2 Drupal, Kristy Frey | 2 Drupal, Node Browser Module | 2026-04-23 | N/A |
| Multiple unspecified vulnerabilities in the Node Browser module for Drupal have unknown impact and attack vectors. | ||||
| CVE-2008-6910 | 2 Drupal, Marc Ingram | 2 Drupal, Services | 2026-04-23 | N/A |
| Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request. | ||||
| CVE-2009-3920 | 2 Drupal, Sean Robertson | 2 Drupal, Crmngp | 2026-04-23 | N/A |
| An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors. | ||||
| CVE-2008-6171 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header. | ||||
| CVE-2009-1823 | 1 Drupal | 2 Drupal, Print | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document head, before the Content-Type META element, to contain crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, a related issue to CVE-2009-1575. | ||||
| CVE-2009-3210 | 2 Drupal, Joao Ventura | 2 Drupal, Print | 2026-04-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.8 and 6.x before 6.x-1.8, a module for Drupal, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2009-1738 | 2 Drupal, Ivanjaros | 2 Drupal, Feed Block | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in Feed Block 6.x-1.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with administrator feed permissions to inject arbitrary web script or HTML via unspecified vectors in "aggregator items." | ||||
| CVE-2009-1035 | 2 Drupal, Jake Gordon | 2 Drupal, Tasks | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via Cascading Style Sheets (CSS). | ||||
| CVE-2008-4710 | 1 Drupal | 2 Drupal, Stock Module | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||