DRUPAL-CORE-2025-001

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability XSS. Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This...

Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability XSS. Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This...

Drupal 7.x < 7.96 / 9.4.x < 9.4.14 / 9.5.x < 9.5.8 / 10.x < 10.0.8 Drupal Vulnerability (SA-CORE-2023-005)

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.96, 9.4.x prior to 9.4.14, 9.5.x prior to 9.5.8, or 10.x prior to 10.0.8. It is, therefore, affected by a vulnerability. - The file download facility doesn't sufficiently sanitize fil...

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files. This release was coordinated with SA-CONTRIB-2023-010. This advisory is not covered by Drupal Steward...

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...

DRUPAL-CORE-2021-006

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to...

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to...