36
CVEs
1
Critical
9
High
0
KEV
5
PoC
2
Unpatched C/H
83.3%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
9
MEDIUM
24
LOW
2
Monthly CVE Trend
Affected Products (30)
Debian Linux
43
PHP
30
Fedora
19
Open Redirect
11
Peoplesoft Enterprise Peopletools
10
Application Express
10
Open Social
8
Miniorange 2fa
6
Jd Edwards Enterpriseone Tools
6
Ckeditor
6
Weblogic Server
6
Communications Operations Monitor
5
H300E Firmware
5
Banking Platform
5
H500s Firmware
5
H410c Firmware
5
Agile Plm
5
H500E Firmware
5
Rest Data Services
5
H410s Firmware
5
H700E Firmware
5
Artificial Intelligence
5
Policy Automation
5
H700s Firmware
5
Communications Interactive Session Recorder
5
H300s Firmware
5
Hospitality Materials Control
4
Two Factor Authentication
4
Banking Digital Experience
4
Symfony
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-0750 | Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5). | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-24478 | AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity. | HIGH | 7.2 | 0.2% | 56 |
PoC
No patch
|
| CVE-2026-0749 | Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement. | MEDIUM | 6.1 | 0.0% | 51 |
PoC
No patch
|
| CVE-2025-8995 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2025-14556 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 47 |
PoC
No patch
|
| CVE-2025-14557 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. [CVSS 4.8 MEDIUM] | MEDIUM | 4.8 | 0.0% | 44 |
PoC
No patch
|
| CVE-2025-8675 | Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.0.0 before 1.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.8 | 0.0% | 44 |
|
| CVE-2025-13982 | Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1). | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2025-14472 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2025-8361 | Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.0.0 before 2.18.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.6 | 0.0% | 38 |
|
| CVE-2025-8092 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.16. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.6 | 0.0% | 38 |
|
| CVE-2025-14840 | Http Client Manager versions up to 9.3.13 is affected by improper check for unusual or exceptional conditions (CVSS 7.5). | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2025-12848 | Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score. | HIGH | 7.0 | 0.1% | 35 |
|
| CVE-2026-0948 | The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%). | MEDIUM | 6.5 | 0.1% | 33 |
|
| CVE-2025-9551 | Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5. | MEDIUM | 6.5 | 0.0% | 33 |
|