Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Forceful browsing over network with no auth or interaction; partial C and I only, no availability impact, no scope change.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0.
AnalysisAI
Missing authorization controls in Drupal WissKI versions prior to 4.2.0 enable unauthenticated remote attackers to perform forceful browsing - directly accessing restricted resources by guessing or enumerating URLs without undergoing proper authorization checks. The affected versions span the entire release history from 0.0.0 through 4.2.0, making all prior deployments vulnerable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required - the CVSS vector PR:N confirms unauthenticated access is sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) is driven by network accessibility (AV:N), low complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N), with partial confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates WissKI-specific Drupal route paths - discoverable through public documentation or module source inspection - and issues direct HTTP GET requests to restricted endpoints without holding the required permissions. The missing authorization check allows the server to respond with restricted entity or ontology data, or permits state-modifying actions, without the attacker ever authenticating. … |
| Remediation | The vendor has released a patch; upgrade WissKI to version 4.2.0 or later by following the standard Drupal module update procedure (composer update drupal/wisski or via the Drupal admin interface). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43063
GHSA-8375-8mwf-6r6x