CVE-2009-4518

Cross-site scripting XSS vulnerability in the Insert Node module 5.x before 5.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via an inserted node...

CVE-2009-4514

Cross-site scripting XSS vulnerability in the OpenSocial Shindig-Integrator module 5.x and 6.x before 6.x-2.1, a module for Drupal, allows remote authenticated users, with "create application" privileges, to inject arbitrary web script or HTML via unspecified vectors...

CVE-2009-4990

Cross-site scripting XSS vulnerability in the Webform report module 5.x and 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a submission...

CVE-2009-4520

The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path...

CVE-2009-4515

The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors...

CVE-2009-4829

Cross-site scripting XSS vulnerability in the Automated Logout module 6.x-1.x before 6.x-1.7 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users with administer autologout privileges to inject arbitrary web script or HTML via unspecified vectors...

CVE-2009-4517

Cross-site request forgery CSRF vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content...

CVE-2009-4526

The Send by e-mail sub-module in the Print aka Printer, e-mail and PDF versions module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, does not properly enforce privilege requirements, which allows remote attackers to read page titles by requesting a "Send to friend" form...

CVE-2008-6836

Cross-site request forgery CSRF vulnerability in OpenID 5.x before 5x.-1.2, a module for Drupal, allows remote attackers to hijack the authentication of unspecified victims to delete OpenID identities via unknown vectors...

CVE-2024-34481

drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page...

CVE-2022-26493

Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signatur...

CVE-2017-6921

In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services rest module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or...

FoolishScan

Foolish Scan v2.3 Gold Master Context-Aware CTF & Lab Re...

RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers

Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things IoT devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed...

DRUPAL-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

Deserialization Of Untrusted Data

Drupal core is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to improper handling of object attributes, which allows an attacker to manipulate object properties and perform object injection...

Use Of Web Browser Cache Containing Sensitive Information

Drupal core is vulnerable to Use of Web Browser Cache Containing Sensitive Information. The vulnerability is due to improper cache control handling, which allows sensitive information to be stored in browser cache and potentially accessed by unauthorized users...

User Interface (UI) Misrepresentation Of Critical Information

Drupal core is vulnerable to User Interface UI Misrepresentation of Critical Information. The vulnerability is due to improper handling of UI content rendering, which allows an attacker to spoof or misrepresent content and mislead users within the application interface...

Improper Check For Unusual Or Exceptional Conditions

Drupal core is vulnerable to Improper Check for Unusual or Exceptional Conditions. The vulnerability is due to insufficient validation of access conditions, which allows an attacker to perform forceful browsing and access restricted resources without proper authorization...

📄 Drupal 11.x-dev Information Disclosure

Proof of concept script demonstrating a full path disclosure issue in Drupal version 11.x-dev. ============================================================================================================================================= | Title : Drupal 11.x-dev full Information Disclosure | |...