Drupal Email TFA allows Functionality Bypass

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TFA: from 0.0.0 before 2.0.6...

Drupal Simple multi step form allows Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Simple multi step form allows Cross-Site Scripting XSS.This issue affects Simple multi step form: from 0.0.0 before 2.0.0...

User Interface (UI) Misrepresentation of Critical Information

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to User Interface UI Misrepresentation of Critical Information. An attacker who convinces a user to follow a malicious link can...

Use of Web Browser Cache Containing Sensitive Information

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information via the HTTP header Cache-Control: public, which may be applied by a...

Improper Check for Unusual or Exceptional Conditions

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the sanitize function in the RequestSanitizer.php file, allowing cache...

Deserialization of Untrusted Data

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via improper handling of dynamically-determined object attributes. An attacker who has...

CVE-2025-13082

User Interface UI Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...

CVE-2025-13083

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before...

CVE-2025-13082

User Interface UI Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...

CVE-2025-13083

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before...

CVE-2025-12761

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Simple multi step form allows Cross-Site Scripting XSS.This issue affects Simple multi step form: from 0.0.0 before 2.0.0...

CVE-2025-13080

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...

CVE-2025-12760

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6...

CVE-2025-12761

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Simple multi step form allows Cross-Site Scripting XSS.This issue affects Simple multi step form: from 0.0.0 before 2.0.0...

CVE-2025-13080

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...

CVE-2025-12760

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6...

CVE-2025-13081

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...

CVE-2025-13081

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...

CVE-2025-12761 Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Simple multi step form allows Cross-Site Scripting XSS.This issue affects Simple multi step form: from 0.0.0 before 2.0.0...

CVE-2025-12761

The CVE-2025-12761 issue affects Drupal’s Simple multi step form module (pre-2.0.0). The root cause is improper neutralization of input during web page generation, leading to Cross-Site Scripting (XSS). Practical impact is that attacker-supplied content could be rendered as code in pages viewed b...