Skip to main content

Drupal

Vendor security scorecard – 36 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 86
36
CVEs
1
Critical
9
High
0
KEV
5
PoC
2
Unpatched C/H
83.3%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
1
HIGH
9
MEDIUM
24
LOW
2

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-0750 Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5). HIGH 7.5 0.0% 58
PoC No patch
CVE-2026-24478 AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity. HIGH 7.2 0.2% 56
PoC No patch
CVE-2026-0749 Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement. MEDIUM 6.1 0.0% 51
PoC No patch
CVE-2025-8995 Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. CRITICAL 9.8 0.1% 49
CVE-2025-14556 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. [CVSS 5.4 MEDIUM] MEDIUM 5.4 0.0% 47
PoC No patch
CVE-2025-14557 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. [CVSS 4.8 MEDIUM] MEDIUM 4.8 0.0% 44
PoC No patch
CVE-2025-8675 Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.0.0 before 1.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. HIGH 8.8 0.0% 44
CVE-2025-13982 Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1). HIGH 8.1 0.0% 41
CVE-2025-14472 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH] HIGH 8.1 0.0% 41
CVE-2025-8361 Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.0.0 before 2.18.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. HIGH 7.6 0.0% 38
CVE-2025-8092 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.16. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. HIGH 7.6 0.0% 38
CVE-2025-14840 Http Client Manager versions up to 9.3.13 is affected by improper check for unusual or exceptional conditions (CVSS 7.5). HIGH 7.5 0.1% 38
CVE-2025-12848 Cross-site scripting (XSS) in Drupal 7.x Webform Multiple File Upload module versions 7.x-1.2 through 7.x-1.6 enables unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading files with malicious filenames to Webform nodes where file type validation is disabled. The vulnerability originates in the third-party fyneworks/multifile library's file name renderer. With EPSS at 0.07% (21st percentile) and no public exploit identified at time of analysis, exploitation probability remains low despite the CVSS 7.0 score. HIGH 7.0 0.1% 35
CVE-2026-0948 The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%). MEDIUM 6.5 0.1% 33
CVE-2025-9551 Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5. MEDIUM 6.5 0.0% 33

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy