Drupal vulnerabilities - every known CVE across core and contributed modules
Drupal sees heavy use in government and enterprise deployments, where contributed modules are the most common source of new CVEs. Indexed and scored as they're disclosed.
Drupal security
Enterprise CMS with a strong security process
Drupal is widely used by large government, media, and enterprise websites. The Drupal Security Team reviews every reported vulnerability and issues formal advisories using SA-CORE identifiers for core issues and SA-CONTRIB identifiers for contributed modules. They coordinate embargo windows so administrators have time to patch before public disclosure. Each advisory includes a risk score, affected versions, and remediation steps.
Drupal has had some of the highest-impact CMS vulnerabilities ever published. Drupalgeddon (SA-CORE-2014-005 / CVE-2014-3704) was a SQL injection in the database abstraction layer that was exploited at scale within hours of disclosure. CERT advised that any unpatched site should be considered compromised. CVE-2018-7600 followed the same pattern. These incidents shaped Drupal's current focus on fast patching and automated update notifications.
Most Drupal CVEs affect contributed modules, not core. Common issues include SQL injection in custom entity queries, access bypass in content permission checks, remote code execution through unsafe file handling, cross-site scripting in display formatters, and insecure direct object references in REST API endpoints.
CVSS and triage
Drupal vulnerability severity in context
CVSS scores in this database come from NVD and reflect the worst-case severity under ideal attack conditions. The Drupal Security Team also publishes its own risk scores, which factor in exploitability history and compensating controls. For high-traffic or sensitive Drupal sites, check the official SA advisory alongside the CVSS score shown here.
Drupal core patches come through the admin update interface and Composer. Contributed module patches require updating each module individually. After updating, run drush updatedb to apply any pending database updates that come with the security release.
| CVE ID | Severity | CVSS | Title | Published |
|---|---|---|---|---|
| CVE-2026-55808 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-55807 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-55806 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-55804 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-55803 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-15084 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-58588 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-58587 | — | — | Jul 10, 2026 6d ago | |
| CVE-2026-4093 | medium | 5.1/10 | May 21, 2026 1mo ago | |
| CVE-2026-4929 | medium | 5.1/10 | May 21, 2026 1mo ago | |
| CVE-2026-9082 | critical | 9.8/10 | May 20, 2026 1mo ago | |
| CVE-2026-8492 | — | — | May 19, 2026 1mo ago | |
| CVE-2026-6367 | — | — | May 19, 2026 1mo ago | |
| CVE-2026-6366 | — | — | May 19, 2026 1mo ago | |
| CVE-2026-6365 | — | — | May 19, 2026 1mo ago | |
| CVE-2022-50957 | medium | 5.1/10 | May 10, 2026 2mo ago | |
| CVE-2026-0748 | medium | 5.3/10 | Mar 26, 2026 3mo ago | |
| CVE-2026-3216 | — | — | Mar 25, 2026 3mo ago | |
| CVE-2026-1553 | — | — | Feb 4, 2026 5mo ago | |
| CVE-2026-0749 | medium | 4.8/10 | Jan 28, 2026 5mo ago | |
| CVE-2025-14557 | medium | 4.8/10 | Jan 14, 2026 6mo ago | |
| CVE-2025-14556 | medium | 4.8/10 | Jan 14, 2026 6mo ago | |
| CVE-2025-13083 | — | — | Nov 18, 2025 8mo ago | |
| CVE-2025-13082 | — | — | Nov 18, 2025 8mo ago | |
| CVE-2025-13081 | — | — | Nov 18, 2025 8mo ago | |
| CVE-2025-13080 | — | — | Nov 18, 2025 8mo ago | |
| CVE-2025-7716 | — | — | Jul 21, 2025 12mo ago | |
| CVE-2025-48294 | medium | 4.4/10 | Jul 16, 2025 1y ago | |
| CVE-2025-6675 | — | — | Jun 26, 2025 1y ago | |
| CVE-2025-47710 | — | — | May 14, 2025 1y ago |