Security Advisories - drupal/core

drupal/core Security Advisories for 10.3.1 (10)

[MEDIUM] Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages

PKSA-s1zc-gcfk-ddw5 CVE-2025-3057 GHSA-39g6-x4x8-5jcm

Affected version: >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13

Reported by:
GitHub
[MEDIUM] Drupal Core Vulnerable to Forceful Browsing

PKSA-s6zc-mws4-ngh4 CVE-2025-31673 GHSA-wpp8-fjgf-pwc7

Affected version: >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13

Reported by:
GitHub
[MEDIUM] Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability

PKSA-ctyc-dmct-npkz CVE-2025-31674 GHSA-2qph-q8xw-gv7q

Affected version: >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13

Reported by:
GitHub
[LOW] Drupal Core Cross-Site Scripting (XSS) Vulnerability

PKSA-42zc-x5ss-z64p CVE-2025-31675 GHSA-m4wj-hhwj-47qp

Affected version: >=11.1.0,<11.1.5|>=11.0.0,<11.0.13|>=10.4.0,<10.4.5|>=8.0.0,<10.3.14

Reported by:
GitHub
[MEDIUM] Drupal core Access bypass

PKSA-ts55-c66h-g96n CVE-2024-55634 GHSA-7cwc-fjqm-8vh8

Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.0.0,<10.2.11

Reported by:
GitHub
[LOW] Drupal core contains a potential PHP Object Injection vulnerability

PKSA-jthw-vxjy-kxnx CVE-2024-55636 GHSA-938f-5r4f-h65v

Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11

Reported by:
GitHub
[HIGH] Drupal core contains a potential PHP Object Injection vulnerability

PKSA-g51h-n1x3-mszr CVE-2024-55637 GHSA-w6rx-9g2x-mg5g

Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11

Reported by:
GitHub
[HIGH] Drupal core contains a potential PHP Object Injection vulnerability

PKSA-xd2s-f2mt-7tf3 CVE-2024-55638 GHSA-gvf2-2f4g-jqf4

Affected version: >=7.0,<7.102|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11

Reported by:
GitHub
[MEDIUM] Drupal Core Cross-Site Scripting (XSS)

PKSA-yjvc-rnsz-8n3c CVE-2024-12393 GHSA-8mvq-8h2v-j9vf

Affected version: >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11

Reported by:
GitHub
[MEDIUM] Drupal Full Path Disclosure

PKSA-styk-3knc-d1bt CVE-2024-45440 GHSA-mg8j-w93w-xjgc

Affected version: >=8.0.0,<10.2.9|>=10.3.0,<10.3.6|>=11.0.0,<11.0.5

Reported by:
GitHub

drupal/core Security Advisories for 10.3.1 (10)

[MEDIUM] Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages

[MEDIUM] Drupal Core Vulnerable to Forceful Browsing

[MEDIUM] Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability

[LOW] Drupal Core Cross-Site Scripting (XSS) Vulnerability

[MEDIUM] Drupal core Access bypass

[LOW] Drupal core contains a potential PHP Object Injection vulnerability

[HIGH] Drupal core contains a potential PHP Object Injection vulnerability

[HIGH] Drupal core contains a potential PHP Object Injection vulnerability

[MEDIUM] Drupal Core Cross-Site Scripting (XSS)

[MEDIUM] Drupal Full Path Disclosure