CVE-2026-6816 TFA Basic Plugins - Access Bypass

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2...

CVE-2026-4929 Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...

Drupal 安全漏洞

Drupal is an open-source content management system developed using the PHP language by the Drupal community. Versions 7.x-1.0 to 7.x-1.10 of Drupal have security vulnerabilities. These vulnerabilities stem from improper output escaping of term-derived text in Simple Hierarchical Select, which may...

CVE-2025-14557 XSS in Drupal 7 Facebook Pixel Module

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Drupal Facebook Pixel facebookpixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1...

CVE-2025-14557

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Drupal Facebook Pixel facebookpixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1...

CVE-2024-13268

Improper Neutralization of Directives in Statically Saved Code 'Static Code Injection' vulnerability in Drupal Opigno allows PHP Local File Inclusion.This issue affects Opigno: from 7.X-1.0 before 7.X-1.23...

PT-2024-10484 · Drupal · Drupal Basic Http Authentication

Name of the Vulnerable Software and Affected Versions: Drupal Basic HTTP Authentication versions 7.X-1.0 through 7.X-1.3 Drupal Basic HTTP Authentication versions prior to 7.X-1.4 Description: The issue is related to insufficient authorization mechanisms in the Basic HTTP Authentication module of...

PT-2024-10098 · Drupal · Node Access Rebuild Progressive

Name of the Vulnerable Software and Affected Versions: Node Access Rebuild Progressive versions 7.X-1.0 through 7.X-1.2 Description: The issue is related to improper ownership management in Node Access Rebuild Progressive, allowing target influence via framing. This can be exploited by a remote...

Views Dynamic Fields Code Issue Vulnerability

Drupal is the Drupal community of a set of open source content management system developed using the PHP language . Views Dynamic Fields is used in one of the field filtering display module . A code issue vulnerability exists in Drupal Views Dynamic Fields 7.x-1.0-alpha4 and earlier versions for...

Drupal avatar_uploader arbitrary file download vulnerability

avataruploader is the module used to implement the function of uploading user images in a content management system maintained by the Drupal community. A security vulnerability exists in avataruploader version 7.x-1.0-beta8, which is caused by code in the view.php file that fails to validate user...

CVE-2015-4386

The CVE-2015-4386 entry refers to a Drupal EntityBulkDelete module vulnerability (7.x-1.0) involving multiple XSS flaws in unspecified administration pages. The root cause is insufficient sanitization of user-supplied text in admin interfaces, which could allow remote attackers to inject arbitrar...

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

SimpleCorp theme is a free responsive Drupal theme. The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers...

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)

This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability ...

SA-CONTRIB-2012-057 - Printer, email and PDF versions - Cross Site Scripting (XSS)

CVE: CVE-2012-2084 This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently escape URL elements which are printed back to the user. Versions affected Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.15...