Skip to main content

Drupal Core

9 CVEs product

Monthly

CVE-2026-55808 PHP MEDIUM PATCH This Month

Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenticated low-privileged attacker to inject malicious client-side script that executes in the browser of a victim who interacts with the crafted content. The CVSS scope-change indicator (S:C) confirms the impact escapes the originating component into the victim's browser context, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code has been identified and EPSS sits at 0.15% (5th percentile), indicating low automated exploitation probability at time of analysis, though the wide deployment footprint of Drupal still makes patching urgent.

XSS Drupal Core
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-55807 PHP LOW PATCH Monitor

Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server into issuing unauthorized HTTP requests to internal or restricted network destinations. All active 10.6.x and 11.x release branches are affected, along with end-of-life 11.0.x and 11.1.x branches, covering a broad swath of production Drupal deployments. No public exploit code has been identified and EPSS sits at the 3rd percentile, but the large Drupal deployment footprint elevates aggregate exposure even at low per-instance exploitation probability.

SSRF Drupal Core
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-55806 PHP MEDIUM PATCH This Month

Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.

Open Redirect Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-55804 PHP MEDIUM PATCH This Month

Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (CWE-915) exposes sites to high-severity confidentiality and integrity compromise when triggered by an authenticated user with high privileges. Affected branches include the entire 10.x line before 10.5.12 and 10.6.11, the fully unsupported 11.0.x and 11.1.x trees, and the 11.2.x and 11.3.x lines before 11.2.14 and 11.3.12 respectively. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at just 0.16% (6th percentile), making this a patch-priority rather than emergency-response scenario.

Code Injection Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-55803 PHP MEDIUM PATCH This Month

Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamically-determined PHP object attributes, potentially compromising confidentiality and data integrity of the application. Affected versions span multiple active and end-of-life branches: 10.5.x through 10.5.12, 10.6.0 through 10.6.11, 11.2.0 through 11.2.14, 11.3.0 through 11.3.12, and the entirely unsupported 11.0.x and 11.1.x branches. No public exploit code is identified at time of analysis, and EPSS at 0.16% (6th percentile) signals very low observed exploitation activity despite the C:H/I:H impact potential.

Code Injection Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-9082 PHP MEDIUM POC KEV PATCH THREAT NEWS GHSA Act Now

SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database queries with no required privileges or user interaction, as confirmed by CVSS vector AV:N/AC:L/PR:N/UI:N. The vulnerability yields partial confidentiality and integrity impact per CVSS - enabling data enumeration and limited data manipulation - but does not grant full database control or server compromise. No active exploitation is confirmed (not listed in CISA KEV; SSVC exploitation status: none), but SSVC flags this as automatable, making opportunistic mass scanning against the large global Drupal install base a credible near-term risk.

SQLi Drupal Core
NVD GitHub VulDB Exploit-DB
CVSS 3.1
6.5
EPSS
0.0%
Threat
4.3
CVE-2026-6367 PHP MEDIUM PATCH This Month

Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.

XSS Drupal Core
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6366 PHP MEDIUM PATCH This Month

Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.

Code Injection Drupal Core
NVD VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-6365 PHP MEDIUM PATCH This Month

Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.

XSS Drupal Core
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenticated low-privileged attacker to inject malicious client-side script that executes in the browser of a victim who interacts with the crafted content. The CVSS scope-change indicator (S:C) confirms the impact escapes the originating component into the victim's browser context, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code has been identified and EPSS sits at 0.15% (5th percentile), indicating low automated exploitation probability at time of analysis, though the wide deployment footprint of Drupal still makes patching urgent.

XSS Drupal Core
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server into issuing unauthorized HTTP requests to internal or restricted network destinations. All active 10.6.x and 11.x release branches are affected, along with end-of-life 11.0.x and 11.1.x branches, covering a broad swath of production Drupal deployments. No public exploit code has been identified and EPSS sits at the 3rd percentile, but the large Drupal deployment footprint elevates aggregate exposure even at low per-instance exploitation probability.

SSRF Drupal Core
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.

Open Redirect Drupal Core
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (CWE-915) exposes sites to high-severity confidentiality and integrity compromise when triggered by an authenticated user with high privileges. Affected branches include the entire 10.x line before 10.5.12 and 10.6.11, the fully unsupported 11.0.x and 11.1.x trees, and the 11.2.x and 11.3.x lines before 11.2.14 and 11.3.12 respectively. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at just 0.16% (6th percentile), making this a patch-priority rather than emergency-response scenario.

Code Injection Drupal Core
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamically-determined PHP object attributes, potentially compromising confidentiality and data integrity of the application. Affected versions span multiple active and end-of-life branches: 10.5.x through 10.5.12, 10.6.0 through 10.6.11, 11.2.0 through 11.2.14, 11.3.0 through 11.3.12, and the entirely unsupported 11.0.x and 11.1.x branches. No public exploit code is identified at time of analysis, and EPSS at 0.16% (6th percentile) signals very low observed exploitation activity despite the C:H/I:H impact potential.

Code Injection Drupal Core
NVD
EPSS 0% 4.3 CVSS 6.5
MEDIUM POC KEV PATCH THREAT Act Now

SQL injection in Drupal Core across six major version branches (8.9.0 through 11.3.x) enables remote unauthenticated attackers to manipulate database queries with no required privileges or user interaction, as confirmed by CVSS vector AV:N/AC:L/PR:N/UI:N. The vulnerability yields partial confidentiality and integrity impact per CVSS - enabling data enumeration and limited data manipulation - but does not grant full database control or server compromise. No active exploitation is confirmed (not listed in CISA KEV; SSVC exploitation status: none), but SSVC flags this as automatable, making opportunistic mass scanning against the large global Drupal install base a credible near-term risk.

SQLi Drupal Core
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.

XSS Drupal Core
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.

Code Injection Drupal Core
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.

XSS Drupal Core
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy