20
CVEs
0
Critical
5
High
0
KEV
3
PoC
2
Unpatched C/H
85.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
5
MEDIUM
15
LOW
0
Monthly CVE Trend
Affected Products (30)
Debian Linux
43
PHP
30
Fedora
19
Open Redirect
11
Peoplesoft Enterprise Peopletools
10
Application Express
10
Open Social
8
Miniorange 2fa
6
Jd Edwards Enterpriseone Tools
6
Ckeditor
6
Weblogic Server
6
Communications Operations Monitor
5
H300E Firmware
5
Banking Platform
5
H500s Firmware
5
H410c Firmware
5
Agile Plm
5
H500E Firmware
5
Rest Data Services
5
H410s Firmware
5
H700E Firmware
5
Artificial Intelligence
5
Policy Automation
5
H700s Firmware
5
Communications Interactive Session Recorder
5
H300s Firmware
5
Hospitality Materials Control
4
Two Factor Authentication
4
Banking Digital Experience
4
Symfony
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-0750 | Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5). | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-24478 | AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity. | HIGH | 7.2 | 0.2% | 56 |
PoC
No patch
|
| CVE-2026-0749 | Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement. | MEDIUM | 6.1 | 0.0% | 51 |
PoC
No patch
|
| CVE-2025-13982 | Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1). | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2025-14472 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2025-14840 | Http Client Manager versions up to 9.3.13 is affected by improper check for unusual or exceptional conditions (CVSS 7.5). | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2026-0948 | The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%). | MEDIUM | 6.5 | 0.1% | 33 |
|
| CVE-2026-0946 | Cross-site scripting in the AT Internet SmartTag Drupal module versions before 1.0.1 enables attackers to inject malicious scripts through improper input validation on web pages. An attacker can exploit this vulnerability remotely without authentication to steal session cookies, perform actions on behalf of users, or deface content, though user interaction is required for successful exploitation. No patch is currently available for affected Drupal installations. | MEDIUM | 6.1 | 0.0% | 31 |
|
| CVE-2025-13984 | Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. [CVSS 6.1 MEDIUM] | MEDIUM | 6.1 | 0.0% | 31 |
|
| CVE-2025-13983 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 27 |
|
| CVE-2025-13979 | Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 27 |
|
| CVE-2026-3212 | A Cross-Site Scripting (XSS) vulnerability exists in Drupal Tagify module versions prior to 1.2.49, stemming from improper neutralization of user input during web page generation. An attacker can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. This vulnerability affects all Tagify installations from version 0.0.0 through 1.2.48, and patch availability has been confirmed through the Drupal security advisory. | MEDIUM | 5.4 | 0.0% | 27 |
|
| CVE-2025-13980 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM] | MEDIUM | 5.3 | 0.1% | 27 |
|
| CVE-2025-13985 | Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0. [CVSS 5.3 MEDIUM] | MEDIUM | 5.3 | 0.0% | 27 |
|
| CVE-2026-0944 | Group Invite versions up to 2.3.9 is affected by improper check for unusual or exceptional conditions (CVSS 5.3). | MEDIUM | 5.3 | 0.0% | 27 |
|