Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Total 851 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2006-2831 1 Drupal 1 Drupal 2025-04-03 7.5 HIGH N/A
Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.
CVE-2005-3974 1 Drupal 1 Drupal 2025-04-03 6.4 MEDIUM N/A
Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.
CVE-2006-4109 1 Drupal 1 Bibliography Module 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Bibliography (biblio.module) 4.6 before revision 1.1.1.1.4.11 and 4.7 before revision 1.13.2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2006-1225 1 Drupal 1 Drupal 2025-04-03 5.0 MEDIUM N/A
CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy.
CVE-2006-4120 1 Drupal 2 Drupal, Recipe Module 2025-04-03 5.1 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Recipe module (recipe.module) before 1.54 for Drupal 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2006-4717 1 Drupal 1 Drupal Pubcookie Module 2025-04-03 7.5 HIGH N/A
The login redirection mechanism in the Drupal 4.7 Pubcookie module before 1.2.2.4 2006/09/06 and the Drupal 4.6 Pubcookie module before 1.6.2.1 2006/09/07 allows remote attackers to bypass authentication requirements and spoof identities of arbitrary users via unspecified vectors.
CVE-2005-0682 1 Drupal 1 Drupal 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via certain inputs.
CVE-2006-4002 1 Drupal 1 Drupal 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: portions of these details are obtained from third party information.
CVE-2006-4356 1 Drupal 1 Drupal Easylinks Module 2025-04-03 7.5 HIGH N/A
SQL injection vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2006-1227 1 Drupal 1 Drupal 2025-04-03 4.6 MEDIUM N/A
Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.
CVE-2002-1806 1 Drupal 1 Drupal 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
CVE-2006-4947 1 Drupal 1 Search Keyword Module 2025-04-03 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Search Keywords module before 1.15 2006/09/15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output."
CVE-2005-3975 1 Drupal 1 Drupal 2025-04-03 4.0 MEDIUM N/A
Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer as a result of CVE-2005-3312. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in Drupal.
CVE-2005-2106 1 Drupal 1 Drupal 2025-04-03 5.0 MEDIUM N/A
Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
CVE-2006-4646 1 Drupal 1 Drupal Pathauto Module 2025-04-03 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Pathauto module before pathauto_node.inc 1.17.2.1 and the Drupal 4.6 Pathauto module before pathauto_node.inc 1.14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2006-4108 1 Drupal 1 Bibliography Module 2025-04-03 7.5 HIGH N/A
SQL injection vulnerability in Bibliography (biblio.module) 4.6 before revision 1.1.1.1.4.11 and 4.7 before revision 1.13.2.5 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2006-4355 1 Drupal 1 Drupal Easylinks Module 2025-04-03 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2006-4107 1 Drupal 1 Job Search 2025-04-03 7.5 HIGH N/A
SQL injection vulnerability in the Job Search module (job.module) 4.6 before revision 1.3.2.1 in Drupal allows remote attackers to execute arbitrary SQL commands via a job or resume search.
CVE-2018-7600 2 Debian, Drupal 2 Debian Linux, Drupal 2025-03-14 7.5 HIGH 9.8 CRITICAL
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
CVE-2018-7602 2 Debian, Drupal 2 Debian Linux, Drupal 2025-03-14 7.5 HIGH 9.8 CRITICAL
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.