Feed live

Drupal vulnerabilities - every known CVE across core and contributed modules

Drupal sees heavy use in government and enterprise deployments, where contributed modules are the most common source of new CVEs. Indexed and scored as they're disclosed.

Total CVEs tracked
339,646
All time
Critical · Active
10,844
CVSS ≥ 9.0
New · 14 days
2,634
Newly disclosed
Feed last synced
1 hr ago
Data freshness

Drupal security

Enterprise CMS with a strong security process

Drupal is widely used by large government, media, and enterprise websites. The Drupal Security Team reviews every reported vulnerability and issues formal advisories using SA-CORE identifiers for core issues and SA-CONTRIB identifiers for contributed modules. They coordinate embargo windows so administrators have time to patch before public disclosure. Each advisory includes a risk score, affected versions, and remediation steps.

Drupal has had some of the highest-impact CMS vulnerabilities ever published. Drupalgeddon (SA-CORE-2014-005 / CVE-2014-3704) was a SQL injection in the database abstraction layer that was exploited at scale within hours of disclosure. CERT advised that any unpatched site should be considered compromised. CVE-2018-7600 followed the same pattern. These incidents shaped Drupal's current focus on fast patching and automated update notifications.

Most Drupal CVEs affect contributed modules, not core. Common issues include SQL injection in custom entity queries, access bypass in content permission checks, remote code execution through unsafe file handling, cross-site scripting in display formatters, and insecure direct object references in REST API endpoints.

CVSS and triage

Drupal vulnerability severity in context

CVSS scores in this database come from NVD and reflect the worst-case severity under ideal attack conditions. The Drupal Security Team also publishes its own risk scores, which factor in exploitability history and compensating controls. For high-traffic or sensitive Drupal sites, check the official SA advisory alongside the CVSS score shown here.

Critical 9.0–10.0 Remote, no auth, max impact
High 7.0–8.9 Serious, remotely exploitable
Medium 4.0–6.9 Often requires auth or conditions
Low 0.1–3.9 Limited exploitability or impact

Drupal core patches come through the admin update interface and Composer. Contributed module patches require updating each module individually. After updating, run drush updatedb to apply any pending database updates that come with the security release.

Showing 1–30 CVEs
Sorted by Published · Newest first
CVE ID Severity CVSS Title Published
CVE-2026-55808 Jul 10, 2026 6d ago
CVE-2026-55807 Jul 10, 2026 6d ago
CVE-2026-55806 Jul 10, 2026 6d ago
CVE-2026-55804 Jul 10, 2026 6d ago
CVE-2026-55803 Jul 10, 2026 6d ago
CVE-2026-15084 Jul 10, 2026 6d ago
CVE-2026-58588 Jul 10, 2026 6d ago
CVE-2026-58587 Jul 10, 2026 6d ago
CVE-2026-4093 medium 5.1/10 May 21, 2026 1mo ago
CVE-2026-4929 medium 5.1/10 May 21, 2026 1mo ago
CVE-2026-9082 critical 9.8/10 May 20, 2026 1mo ago
CVE-2026-8492 May 19, 2026 1mo ago
CVE-2026-6367 May 19, 2026 1mo ago
CVE-2026-6366 May 19, 2026 1mo ago
CVE-2026-6365 May 19, 2026 1mo ago
CVE-2022-50957 medium 5.1/10 May 10, 2026 2mo ago
CVE-2026-0748 medium 5.3/10 Mar 26, 2026 3mo ago
CVE-2026-3216 Mar 25, 2026 3mo ago
CVE-2026-1553 Feb 4, 2026 5mo ago
CVE-2026-0749 medium 4.8/10 Jan 28, 2026 5mo ago
CVE-2025-14557 medium 4.8/10 Jan 14, 2026 6mo ago
CVE-2025-14556 medium 4.8/10 Jan 14, 2026 6mo ago
CVE-2025-13083 Nov 18, 2025 8mo ago
CVE-2025-13082 Nov 18, 2025 8mo ago
CVE-2025-13081 Nov 18, 2025 8mo ago
CVE-2025-13080 Nov 18, 2025 8mo ago
CVE-2025-7716 Jul 21, 2025 12mo ago
CVE-2025-48294 medium 4.4/10 Jul 16, 2025 1y ago
CVE-2025-6675 Jun 26, 2025 1y ago
CVE-2025-47710 May 14, 2025 1y ago
Page 1
Prev 1 2