13921 matches found
Drupal JSON:API User Enumeration
The remote Drupal site has the JSON:API module enabled. By default, this module may allow an unauthenticated, remote attacker to enumerate usernames by sending requests to the JSON:API endpoint. An attacker can leverage this information to conduct further attacks, such as brute-force password...
DRUPAL-CONTRIB-2025-125
This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...
Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125
This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...
Exploit for Improper Input Validation in Drupal
POC-CVE-2018-7600 Drupal vulnerable a CVE-2018-7600 Drupalge...
DRUPAL-CONTRIB-2025-124
This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...
DRUPAL-CONTRIB-2025-123
This module enables you to deploy content from one Drupal website to another. The module provides some default configuration without sufficient access control. This vulnerability is mitigated by the fact that an administrator can add some default access control permission...
DRUPAL-CONTRIB-2025-122
This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...
DRUPAL-CONTRIB-2025-119
This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...
DRUPAL-CONTRIB-2025-118
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...
DRUPAL-CONTRIB-2025-117
This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website. These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the modu...
Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124
This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...
Next.js - Critical - Access bypass - SA-CONTRIB-2025-122
This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...
Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117
This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website. These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the modu...
Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123
This module enables you to deploy content from one Drupal website to another. The module provides some default configuration without sufficient access control. This vulnerability is mitigated by the fact that an administrator can add some default access control permission...
CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...
Fedora 42 : drupal7 (2025-f8a08bb335)
The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-f8a08bb335 advisory. - https://www.drupal.org/project/drupal/releases/7.99 - https://www.drupal.org/project/drupal/releases/7.100 -...
Fedora 41 : drupal7 (2025-d645721ca4)
The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-d645721ca4 advisory. - https://www.drupal.org/project/drupal/releases/7.99 - https://www.drupal.org/project/drupal/releases/7.100 -...
Fedora 43 : drupal7 (2025-355d5aac01)
The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-355d5aac01 advisory. - https://www.drupal.org/project/drupal/releases/7.99 - https://www.drupal.org/project/drupal/releases/7.100 -...
CVE-2025-12848
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting XSS vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code e.g., "" to a Webform node with a...
Fedora: Security Advisory (FEDORA-2025-f8a08bb335)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...