drupal/core Security Advisories for 9.0.0-alpha1 (34)
-
[MEDIUM] Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
PKSA-s1zc-gcfk-ddw5 CVE-2025-3057 GHSA-39g6-x4x8-5jcm
Affected version: >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13
Reported by:
GitHub -
[MEDIUM] Drupal Core Vulnerable to Forceful Browsing
PKSA-s6zc-mws4-ngh4 CVE-2025-31673 GHSA-wpp8-fjgf-pwc7
Affected version: >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13
Reported by:
GitHub -
[MEDIUM] Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
PKSA-ctyc-dmct-npkz CVE-2025-31674 GHSA-2qph-q8xw-gv7q
Affected version: >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13
Reported by:
GitHub -
[LOW] Drupal Core Cross-Site Scripting (XSS) Vulnerability
PKSA-42zc-x5ss-z64p CVE-2025-31675 GHSA-m4wj-hhwj-47qp
Affected version: >=11.1.0,<11.1.5|>=11.0.0,<11.0.13|>=10.4.0,<10.4.5|>=8.0.0,<10.3.14
Reported by:
GitHub -
[MEDIUM] Drupal core Access bypass
PKSA-ts55-c66h-g96n CVE-2024-55634 GHSA-7cwc-fjqm-8vh8
Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.0.0,<10.2.11
Reported by:
GitHub -
[LOW] Drupal core contains a potential PHP Object Injection vulnerability
PKSA-jthw-vxjy-kxnx CVE-2024-55636 GHSA-938f-5r4f-h65v
Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11
Reported by:
GitHub -
[HIGH] Drupal core contains a potential PHP Object Injection vulnerability
PKSA-g51h-n1x3-mszr CVE-2024-55637 GHSA-w6rx-9g2x-mg5g
Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11
Reported by:
GitHub -
[HIGH] Drupal core contains a potential PHP Object Injection vulnerability
PKSA-xd2s-f2mt-7tf3 CVE-2024-55638 GHSA-gvf2-2f4g-jqf4
Affected version: >=7.0,<7.102|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11
Reported by:
GitHub -
[MEDIUM] Drupal Core Cross-Site Scripting (XSS)
PKSA-yjvc-rnsz-8n3c CVE-2024-12393 GHSA-8mvq-8h2v-j9vf
Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11
Reported by:
GitHub -
[MEDIUM] Drupal Full Path Disclosure
PKSA-styk-3knc-d1bt CVE-2024-45440 GHSA-mg8j-w93w-xjgc
Affected version: >=8.0.0,<10.2.9|>=10.3.0,<10.3.6|>=11.0.0,<11.0.5
Reported by:
GitHub -
[MEDIUM] Drupal core - Moderately critical - Denial of Service
PKSA-2gfj-5sh8-j3c5 GHSA-f84q-mgj9-8jfc
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.9.0|>=8.9.0,<9.0.0|>=9.0.0,<9.1.0|>=9.1.0,<9.2.0|>=9.2.0,<9.3.0|>=9.3.0,<9.4.0|>=9.4.0,<9.5.0|>=9.5.0,<10.0.0|>=10.0.0,<10.1.0|>=10.1.0,<10.1.8|>=10.2.0,<10.2.2
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[CRITICAL] Cache poisoning in drupal/core
PKSA-my7h-svxh-5q3g CVE-2023-5256 GHSA-rjqg-3h9m-fx5x
Affected version: >=10.1.0,<10.1.4|>=10.0.0,<10.0.11|>=8.7.0,<9.5.11
Reported by:
GitHub -
[CRITICAL] Access bypass in Drupal core
PKSA-h7d4-5mdz-2965 CVE-2023-31250 GHSA-8849-cv9f-vccm
Affected version: >=7.0.0,<7.96|>=9.0.0,<9.4.14|>=9.5.0,<9.5.8|>=10.0.0,<10.0.8
Reported by:
GitHub -
[HIGH] Improper input validation in Drupal core
PKSA-fpcy-trdp-tpy2 CVE-2022-25273 GHSA-g36h-4jr6-qmm9
Affected version: >=9.3.0,<9.3.12|>=8.0.0,<9.2.18
Reported by:
GitHub -
[MEDIUM] Lack of domain validation in Druple core
PKSA-4j5n-cxxv-ptjc CVE-2022-25276 GHSA-4wfq-jc9h-vpcx
Affected version: >=9.4.0,<9.4.3|>=8.0.0,<9.3.19
Reported by:
GitHub -
[HIGH] Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
PKSA-hy6y-p19f-b5kf CVE-2022-25275 GHSA-xh3v-6f9j-wxw3
Affected version: >=7.0.0,<7.91.0|>=8.9.0,<8.10.0|>=9.0.0,<9.1.0|>=9.1.0,<9.2.0|>=9.2.0,<9.3.0|>=9.3.0,<9.3.19|>=9.4.0,<9.4.3
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
PKSA-7q72-qds7-4xyv CVE-2022-25277 GHSA-6955-67hm-vjjq
Affected version: >=8.9.0,<8.10.0|>=9.0.0,<9.1.0|>=9.1.0,<9.2.0|>=9.2.0,<9.3.0|>=9.3.0,<9.3.19|>=9.4.0,<9.4.3
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
PKSA-gkkw-qh7h-5181 CVE-2022-25278 GHSA-cfh2-7f6h-3m85
Affected version: >=8.0.0,<9.3.19|>=9.4.0,<9.4.3
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal Core Cross-site scripting vulnerability
PKSA-cp8p-f15s-htbt CVE-2020-13688 GHSA-qf2g-mrrx-rr5p
Affected version: >=9.0.0,<9.0.6|>=8.9.0,<8.9.6|>=8.8.0,<8.8.10
Reported by:
GitHub -
[HIGH] Improper input validation in Drupal core
PKSA-72rg-qbp7-873g CVE-2022-25271 GHSA-fmfv-x8mp-5767
Affected version: >=7.0.0,<7.88|>=8.0.0,<9.2.13|>=9.3.0,<9.3.6
Reported by:
GitHub -
[MEDIUM] Incorrect authorization in Drupal core
PKSA-2tvs-gcpz-cmm6 CVE-2022-25270 GHSA-73q4-j324-2qcc
Affected version: >=8.0.0,<9.2.13|>=9.3.0,<9.3.6
Reported by:
GitHub -
[MEDIUM] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
PKSA-6dxs-yv9z-8twp GHSA-7f4f-p7mq-p4fv
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.9.0|>=8.9.0,<8.9.16|>=9.0.0,<9.1.0|>=9.1.0,<9.1.12|>=9.2.0,<9.2.4
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
PKSA-7zvx-63nf-7nkj CVE-2020-13672 GHSA-3m36-mjwj-352c
Affected version: >=7.0.0,<7.80|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.9.0|>=8.9.0,<8.9.14|>=9.0.0,<9.0.12|>=9.1.0,<9.1.7
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Critical - Cross-site scripting - SA-CORE-2021-003
PKSA-bc4x-jnrh-4k6w CVE-2021-33829 GHSA-rgx6-rjj4-c388
Affected version: >=7.0.0,<7.80|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.9.0|>=8.9.0,<8.9.16|>=9.0.0,<9.0.14|>=9.1.0,<9.1.9
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
PKSA-kjgx-r4v3-961f GHSA-gfvf-2f25-f34r
Affected version: >=7.0.0,<7.74|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.11|>=8.9.0,<8.9.9|>=9.0.0,<9.0.8
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Drupal core - Critical - Remote code execution - SA-CORE-2020-012
PKSA-77t6-rxnw-bfjm CVE-2020-13671 GHSA-68jc-v27h-vhmw
Affected version: >=7.0.0,<7.74|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.11|>=8.9.0,<8.9.9|>=9.0.0,<9.0.8
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
PKSA-c6qk-kgrx-8q42 CVE-2020-13666 GHSA-8jj2-x2gc-ggm7
Affected version: >=7.0.0,<7.73|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
PKSA-jknr-sjbw-zn24 CVE-2020-13667 GHSA-x2q9-r8gm-f657
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
PKSA-1k26-dn58-yzpc CVE-2020-13668 GHSA-m6q5-wv4x-fv6h
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
PKSA-69gr-9b59-5f99 CVE-2020-13669 GHSA-c533-c843-67h8
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
PKSA-ggc3-34xd-zmzd CVE-2020-13670 GHSA-mmjr-5q74-p3m4
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004
PKSA-j215-hxck-vk25 CVE-2020-13663 GHSA-m648-hpf8-qcjw
Affected version: >=7.0.0,<7.72|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.8|>=8.9.0,<8.9.1|>=9.0.0,<9.0.1
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
PKSA-jkzg-rr1r-vmvy CVE-2020-13664 GHSA-x72f-ggjw-v5xh
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.8|>=8.9.0,<8.9.1|>=9.0.0,<9.0.1
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[CRITICAL] Drupal core - Less critical - Access bypass - SA-CORE-2020-006
PKSA-5wmm-s575-4sjg CVE-2020-13665 GHSA-wxqp-jwc9-g39x
Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.8|>=8.9.0,<8.9.1|>=9.0.0,<9.0.1
Reported by:
FriendsOfPHP/security-advisories, GitHub