ReportizFlow
Filtered by vendor Drupal
Subscriptions
Total
946 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4929 | 2 Drupal, Simple Hierarchical Select Project | 2 Simple Hierarchical Select (shs), Simple Hierarchical Select | 2026-06-01 | 5.4 Medium |
| Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10. | ||||
| CVE-2026-4093 | 2 Drupal, Taxonomy Term Reference Tree Widget Project | 2 Term Reference Tree, Taxonomy Term Reference Tree Widget | 2026-06-01 | 5.4 Medium |
| In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11. | ||||
| CVE-2026-5343 | 2 Drupal, Miniorange | 2 Saml Sso - Service Provider, Saml Sso - Service Provider | 2026-06-01 | 7.4 High |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4. | ||||
| CVE-2026-6816 | 2 Drupal, Tfa Basic Plugins Project | 2 Tfa Basic Plugins, Tfa Basic Plugins | 2026-06-01 | 3.8 Low |
| An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2. | ||||
| CVE-2026-8492 | 2 Drupal, Gtranslate | 2 Translate Drupal With Gtranslate, Gtranslate | 2026-05-27 | 2.7 Low |
| Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5. | ||||
| CVE-2026-8495 | 2 Date Ical Project, Drupal | 2 Date Ical, Date Ical | 2026-05-27 | 9.8 Critical |
| Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15. | ||||
| CVE-2026-8493 | 2 Colorbox Inline Project, Drupal | 2 Colorbox Inline, Colorbox Inline | 2026-05-27 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1. | ||||
| CVE-2026-8491 | 2 Adcisolutions, Drupal | 2 Node View Permissions, Node View Permissions | 2026-05-27 | 3.7 Low |
| Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1. | ||||
| CVE-2026-9082 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-23 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | ||||
| CVE-2026-6871 | 2 Drupal, Obfuscate Project | 2 Obfuscate, Obfuscate | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2. | ||||
| CVE-2026-6095 | 2 Drupal, Gaya | 2 Orejime, Orejime | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16. | ||||
| CVE-2026-6365 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | ||||
| CVE-2026-6366 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-21 | 6.6 Medium |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | ||||
| CVE-2026-6367 | 1 Drupal | 2 Drupal, Drupal Core | 2026-05-21 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7. | ||||
| CVE-2009-4602 | 1 Drupal | 2 Drupal, Randomizer | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2008-0275 | 1 Drupal | 1 Atom Module | 2026-04-23 | N/A |
| The Atom 4.7 before 4.7.x-1.0 and 5.x before 5.x-1.0 module for Drupal does not properly manage permissions for node (1) titles, (2) teasers, and (3) bodies, which might allow remote attackers to gain access to syndicated content. | ||||
| CVE-2008-3740 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2008-0273 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. | ||||
| CVE-2008-0274 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files. | ||||
| CVE-2008-2999 | 1 Drupal | 2 Aggregation Module, Drupal | 2026-04-23 | N/A |
| Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||||