Drupal

A Cross-Site Scripting (XSS) vulnerability exists in Drupal Tagify module versions prior to 1.2.49, stemming from improper neutralization of user input during web page generation. An attacker can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. This vulnerability affects all Tagify installations from version 0.0.0 through 1.2.48, and patch availability has been confirmed through the Drupal security advisory.

Central Authentication System Server versions up to 2.0.3 contains a security vulnerability (CVSS 4.2).

Improper authorization controls in Drupal Canvas versions before 1.0.4 enable attackers to bypass access restrictions and enumerate or access restricted resources through direct browsing. The vulnerability requires specific conditions to exploit (high attack complexity) but affects all unauthenticated users with network access. Currently, no patch is publicly available and exploitation activity has not been confirmed.

The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%).

At Internet Piano Analytics versions up to 1.0.1 is affected by cross-site scripting (xss) (CVSS 4.8).

Cross-site scripting in the AT Internet SmartTag Drupal module versions before 1.0.1 enables attackers to inject malicious scripts through improper input validation on web pages. An attacker can exploit this vulnerability remotely without authentication to steal session cookies, perform actions on behalf of users, or deface content, though user interaction is required for successful exploitation. No patch is currently available for affected Drupal installations.

Group Invite versions up to 2.3.9 is affected by improper check for unusual or exceptional conditions (CVSS 5.3).

Http Client Manager versions up to 9.3.13 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH]

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3. [CVSS 4.2 MEDIUM]

Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0. [CVSS 5.3 MEDIUM]

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. [CVSS 6.1 MEDIUM]

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM]

Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1).

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM]

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM]

Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5).

Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement.

AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. [CVSS 4.8 MEDIUM]

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. [CVSS 5.4 MEDIUM]

Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score.

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.0.0 before 10.4.9, from 10.5.0. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).0.0 before 2.0.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.0.0 before 2.0.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.

Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.0.0 before 2.2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.0.0 before 1.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).0.0 before 1.10.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.0.0 before 2.18.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.16. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4.

CVE-2025-7030 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Paragraphs table allows Cross-Site Scripting (XSS).This issue affects Paragraphs table: from 2.0.0 before 2.0.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple XML sitemap allows Cross-Site Scripting (XSS).This issue affects Simple XML sitemap: from 0.0.0 before 4.2.2.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor5 Youtube allows Cross-Site Scripting (XSS).This issue affects CKEditor5 Youtube: from 0.0.0 before 1.0.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.7.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Toc.Js allows Cross-Site Scripting (XSS).This issue affects Toc.Js: from 0.0.0 before 3.2.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GLightbox allows Cross-Site Scripting (XSS).This issue affects GLightbox: from 0.0.0 before 1.0.16.

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the Drupal etracker module that allows unauthenticated remote attackers to inject malicious scripts into web pages without requiring user interaction. The vulnerability affects etracker versions prior to 3.1.0, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites. The CVSS 7.3 score and network-accessible attack vector indicate this is a significant vulnerability affecting any Drupal installation with the vulnerable etracker module enabled.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal Simple Klaro module versions before 1.10.0 that fails to properly neutralize user input during web page generation. An unauthenticated remote attacker can inject malicious scripts that execute in victims' browsers with high impact on confidentiality and integrity, though the attack requires user interaction (clicking a malicious link). The vulnerability has a high CVSS score of 8.8 due to its network-based attack vector and broad scope, but real-world exploitation likelihood depends on KEV/EPSS data not provided in available intelligence.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal EU Cookie Compliance (GDPR Compliance) allows Cross-Site Scripting (XSS).This issue affects EU Cookie Compliance (GDPR Compliance): from 0.0.0 before 1.26.0.

Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.

Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module that allows unauthenticated remote attackers to inject and execute malicious scripts during web page generation. All versions from 0.0.0 before 1.2.15 are affected. The vulnerability has a high CVSS score of 8.6 with no authentication or user interaction required, enabling attackers to compromise confidentiality, modify page content, and degrade availability. The network-based attack vector and low complexity indicate this is likely actively exploitable in real-world deployments.

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module (versions before 1.2.15) that allows unauthenticated attackers to inject malicious scripts into web pages due to improper input neutralization. The vulnerability has a CVSS score of 8.6 (High severity) with network-based attack vector requiring no privileges or user interaction, enabling attackers to compromise confidentiality, integrity, and availability of affected sites. No active KEV or widespread public PoC data is available in standard vulnerability databases, suggesting limited real-world exploitation at time of analysis, though the high CVSS and ease of exploitation (AV:N/AC:L/PR:N/UI:N) warrant immediate patching.

Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation.This issue affects Admin Audit Trail: from 0.0.0 before 1.0.5.

A cross-site scripting vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CVE-2025-48446 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Commerce Alphabank Redirect module that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. The vulnerability affects Commerce Alphabank Redirect versions prior to 1.0.3, with a CVSS score of 8.8 indicating high severity across confidentiality, integrity, and availability impacts. No public indicators of active exploitation or proof-of-concept code are currently documented, but the high CVSS score and authorization bypass nature warrant immediate patching.

CVE-2025-48445 is an Incorrect Authorization vulnerability (CWE-863) in Drupal Commerce Eurobank (Redirect) payment module versions before 2.1.1 that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. With a CVSS score of 8.8 and high impact across confidentiality, integrity, and availability, this vulnerability affects payment processing workflows in Drupal e-commerce installations. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), making it exploitable by attackers who can socially engineer victims or intercept redirect flows in payment processing.

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Allocation of Resources Without Limits or Throttling vulnerability in Drupal Events Log Track allows Excessive Allocation.0.0 before 3.1.11, from 4.0.0 before 4.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Piwik PRO allows Cross-Site Scripting (XSS).0.0 before 1.3.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass by Capture-replay vulnerability in Drupal One Time Password allows Remote Services with Stolen Credentials.0.0 before 1.3.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.0.0 before 1.3.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.0.0 before 1.3.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Missing Authorization vulnerability in Drupal Single Content Sync allows Functionality Misuse.0.0 before 1.4.12. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).0.0 before 2.0.5, from 7.X-1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).0.0 before 3.0.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.14. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).0.0 before 2.2.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.0.0 before 1.3.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Search API Solr allows Cross Site Request Forgery.0.0 before 4.3.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Vulnerability in Drupal Sportsleague.*. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Vulnerability in Drupal UEditor - 百度编辑器.*. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).0.0 before 4.0.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).0.0 before 1.13.0, from 3.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).0.0 before 2.1.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Vulnerability in Drupal Drupal 8 Google Optimize Hide Page.*. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Vulnerability in Drupal Google Optimize.*. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Vulnerability in Drupal Google Maps: Store Locator.*. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Vulnerability in Drupal Simple GTM.*. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Vulnerability in Drupal Panelizer (obsolete).*. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Allocation of Resources Without Limits or Throttling vulnerability in Drupal Stage File Proxy allows Flooding.0.0 before 3.1.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal baguetteBox.Js allows Cross-Site Scripting (XSS).Js: from 0.0.0 before 2.0.4, from 3.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Allocation of Resources Without Limits or Throttling, Incorrect Authorization vulnerability in Drupal WEB-T allows Excessive Allocation, Content Spoofing.0.0 before 1.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Missing Authentication for Critical Function vulnerability in Drupal Panels allows Exploiting Incorrectly Configured Access Control Security Levels.0.0 before 4.9.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.