22
CVEs
0
Critical
5
High
0
KEV
5
PoC
2
Unpatched C/H
77.3%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
5
MEDIUM
17
LOW
0
Monthly CVE Trend
Affected Products (30)
PHP
14
Open Social
8
Miniorange 2fa
6
Artificial Intelligence
5
Deserialization
4
Two Factor Authentication
4
Cookies Consent Management
3
One Time Password
3
Paragraphs Table
2
Google Tag
2
Email Tfa
2
Node Access Rebuild Progressive
2
File Entity
2
Command Injection
2
Simple Klaro
2
Quick Node Block
2
AI / ML
2
Authenticator Login
2
Monster Menus
2
Post File
2
Entity Share
1
Protected Pages
1
Opigno Module
1
Learning Path
1
Diff
1
Single Content Sync
1
Toc.Js
1
Facets
1
Spamspan Filter
1
Dam
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-0750 | Commerce Paybox versions up to 7.X-1.5. is affected by improper verification of cryptographic signature (CVSS 7.5). | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-24478 | AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity. | HIGH | 7.2 | 0.2% | 56 |
PoC
No patch
|
| CVE-2026-0749 | Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement. | MEDIUM | 6.1 | 0.0% | 51 |
PoC
No patch
|
| CVE-2025-14556 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 47 |
PoC
No patch
|
| CVE-2025-14557 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. [CVSS 4.8 MEDIUM] | MEDIUM | 4.8 | 0.0% | 44 |
PoC
No patch
|
| CVE-2025-13982 | Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1). | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2025-14472 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.0% | 41 |
|
| CVE-2025-14840 | Http Client Manager versions up to 9.3.13 is affected by improper check for unusual or exceptional conditions (CVSS 7.5). | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2026-0948 | The Microsoft Entra ID SSO Login module for Drupal before version 1.0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to escalate privileges through an alternate authentication channel. An attacker can exploit this flaw to gain unauthorized access with elevated permissions on affected Drupal installations. No patch is currently available, and the vulnerability has low exploit probability (EPSS 0.1%). | MEDIUM | 6.5 | 0.1% | 33 |
|
| CVE-2026-0946 | Cross-site scripting in the AT Internet SmartTag Drupal module versions before 1.0.1 enables attackers to inject malicious scripts through improper input validation on web pages. An attacker can exploit this vulnerability remotely without authentication to steal session cookies, perform actions on behalf of users, or deface content, though user interaction is required for successful exploitation. No patch is currently available for affected Drupal installations. | MEDIUM | 6.1 | 0.0% | 31 |
|
| CVE-2025-13984 | Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. [CVSS 6.1 MEDIUM] | MEDIUM | 6.1 | 0.0% | 31 |
|
| CVE-2025-13983 | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 27 |
|
| CVE-2025-13979 | Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM] | MEDIUM | 5.4 | 0.0% | 27 |
|
| CVE-2026-3212 | A Cross-Site Scripting (XSS) vulnerability exists in Drupal Tagify module versions prior to 1.2.49, stemming from improper neutralization of user input during web page generation. An attacker can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. This vulnerability affects all Tagify installations from version 0.0.0 through 1.2.48, and patch availability has been confirmed through the Drupal security advisory. | MEDIUM | 5.4 | 0.0% | 27 |
|
| CVE-2025-13980 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM] | MEDIUM | 5.3 | 0.1% | 27 |
|