PT-2026-43390

CISA added an actively exploited Drupal SQL injection to its KEV catalog and gave federal agencies until Wednesday evening to patch. If you're running Drupal in production and haven't patched CVE-2025-50329, you're exposed to trivial database compromise. No auth required. cybersecurity infosec...

CVE-2026-46633 vulnerabilities

Vulnerabilities for packages: drupal...

Exploit for CVE-2026-9082

CVE-2026-9082 / Drupal SA-CORE-2026-004 Proof of Concept...

CVE-2026-9082: Mitigating a Critical SQL Injection Vulnerability in Drupal

Learn how the complex Drupal SQLi vulnerability CVE-2026-9082 exploits PostgreSQL environments and its data theft risks — and how to ensure you’re protected...

CVE-2026-8491 Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1...

CVE-2026-8491

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1...

CVE-2026-8491

CVE-2026-8491 involves an improper check in the Drupal Node View Permissions module that permits forceful browsing. Affected are Node View Permissions 0.0.0–1.6.x and 2.0.0–2.0.0, where cancelled users’ content reassigned to anonymous users could be exposed. Remediation: upgrade to 1.7.0 (for 0.0...

CVE-2026-5343

creationtimestamp| type| source ---|---|--- 2026-04-02 02:00:04+00:00| seen| https://www.drupal.org/sa-contrib-2026-031 2026-05-29 00:00:37+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mmxa6got322o 2026-05-29 00:00:45+00:00| seen|...

CVE-2026-3526 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021

Incorrect Authorization vulnerability in Drupal File Access Fix deprecated allows Forceful Browsing.This issue affects File Access Fix deprecated: from 0.0.0 before 1.2.0...

CVE-2026-3217

Summary: CVE-2026-3217 affects Drupal SAML SSO - Service Provider module. The issue is a failure to sufficiently sanitize user input, causing a reflected Cross-site Scripting (XSS) vulnerability in web page generation. Affected version range is: Drupal SAML SSO - Service Provider: before 3.1.3 (r...

CVE-2025-13982

Cross-Site Request Forgery CSRF vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3...

CVE-2009-4990

Cross-site scripting XSS vulnerability in the Webform report module 5.x and 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a submission...

CVE-2009-4515

The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors...

CVE-2017-6921

In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services rest module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or...

CVE-2025-12761

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Simple multi step form allows Cross-Site Scripting XSS.This issue affects Simple multi step form: from 0.0.0 before 2.0.0...

CVE-2025-10929

Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2...

CVE-2025-12466 Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth OAuth2 & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth OAuth2 & OpenID Connect: from 6.0.0 before 6.0.7...

CVE-2025-12083 CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting XSS.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0...

CVE-2025-10927 Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal Plausible tracking allows Cross-Site Scripting XSS.This issue affects Plausible tracking: from 0.0.0 before 1.0.2...

EUVD-2025-33788

Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules:...