196
CVEs
16
Critical
49
High
0
KEV
6
PoC
15
Unpatched C/H
80.6%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
16
HIGH
49
MEDIUM
125
LOW
6
Monthly CVE Trend
Affected Products (30)
PHP
14
Open Social
8
Miniorange 2fa
6
Artificial Intelligence
5
Deserialization
4
Two Factor Authentication
4
Cookies Consent Management
3
One Time Password
3
Paragraphs Table
2
Google Tag
2
Email Tfa
2
Node Access Rebuild Progressive
2
File Entity
2
Command Injection
2
Simple Klaro
2
Quick Node Block
2
AI / ML
2
Authenticator Login
2
Monster Menus
2
Post File
2
Entity Share
1
Protected Pages
1
Opigno Module
1
Learning Path
1
Diff
1
Single Content Sync
1
Toc.Js
1
Facets
1
Spamspan Filter
1
Dam
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-0750 | Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5). | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-24478 | AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity. | HIGH | 7.2 | 0.2% | 56 |
PoC
No patch
|
| CVE-2026-0749 | Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement. | MEDIUM | 6.1 | 0.0% | 51 |
PoC
No patch
|
| CVE-2025-31681 | Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.0.0 before 2.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2025-31691 | Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.0.0 before 2.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.4% | 49 |
|
| CVE-2025-8995 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2025-14556 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 47 |
PoC
No patch
|
| CVE-2025-31685 | Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.0.0 before 12.3.11, from 12.4.0 before 12.4.10. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.1 | 0.4% | 46 |
|
| CVE-2025-31676 | Weak Authentication vulnerability in Drupal Email TFA allows Brute Force.0.0 before 2.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2025-31677 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal AI (Artificial Intelligence) allows Cross Site Request Forgery.0.0 before 1.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-47708 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-31690 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery.0.0 before 1.2.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-48445 | CVE-2025-48445 is an Incorrect Authorization vulnerability (CWE-863) in Drupal Commerce Eurobank (Redirect) payment module versions before 2.1.1 that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. With a CVSS score of 8.8 and high impact across confidentiality, integrity, and availability, this vulnerability affects payment processing workflows in Drupal e-commerce installations. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), making it exploitable by attackers who can socially engineer victims or intercept redirect flows in payment processing. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-48446 | CVE-2025-48446 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Commerce Alphabank Redirect module that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. The vulnerability affects Commerce Alphabank Redirect versions prior to 1.0.3, with a CVSS score of 8.8 indicating high severity across confidentiality, integrity, and availability impacts. No public indicators of active exploitation or proof-of-concept code are currently documented, but the high CVSS score and authorization bypass nature warrant immediate patching. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-48918 | Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal Simple Klaro module versions before 1.10.0 that fails to properly neutralize user input during web page generation. An unauthenticated remote attacker can inject malicious scripts that execute in victims' browsers with high impact on confidentiality and integrity, though the attack requires user interaction (clicking a malicious link). The vulnerability has a high CVSS score of 8.8 due to its network-based attack vector and broad scope, but real-world exploitation likelihood depends on KEV/EPSS data not provided in available intelligence. | HIGH | 8.8 | 0.1% | 44 |
|