| Bug | Description |
|---|
| TEMP-0911337-06D812 | Injection in DefaultMailSystem::mail() |
| TEMP-0911336-06ADE0 | External URL injection through URL aliases |
| CVE-2022-25278 | Under certain circumstances, the Drupal core form API evaluates form e ... |
| CVE-2022-25277 | Drupal core sanitizes filenames with dangerous extensions upon upload ... |
| CVE-2022-25276 | The Media oEmbed iframe route does not properly validate the iframe do ... |
| CVE-2022-25274 | Drupal 9.3 implemented a generic entity access API for entity revision ... |
| CVE-2022-25273 | Drupal core's form API has a vulnerability where certain contributed o ... |
| CVE-2020-13688 | Cross-site scripting vulnerability in l Drupal Core allows an attacker ... |
| CVE-2020-13665 | Access bypass vulnerability in Drupal Core allows JSON:API when JSON:A ... |
| CVE-2020-13664 | Arbitrary PHP code execution vulnerability in Drupal Core under certai ... |
| CVE-2020-13663 | Cross Site Request Forgery vulnerability in Drupal Core Form API does ... |
| CVE-2020-13662 | Open Redirect vulnerability in Drupal Core allows a user to be tricked ... |
| CVE-2020-11023 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, pa ... |
| CVE-2020-11022 | In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ... |
| CVE-2019-11831 | The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1 ... |
| CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other produc ... |
| CVE-2019-10911 | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ... |
| CVE-2019-10910 | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ... |
| CVE-2019-10909 | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ... |
| CVE-2019-6342 | An access bypass vulnerability exists when the experimental Workspaces ... |
| CVE-2019-6341 | In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.1 ... |
| CVE-2019-6340 | Some field types do not properly sanitize data from non-form sources i ... |
| CVE-2019-6339 | In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8. ... |
| CVE-2019-6338 | In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8. ... |
| CVE-2018-7602 | A remote code execution vulnerability exists within multiple subsystem ... |
| CVE-2018-7600 | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x be ... |
| CVE-2017-6932 | Drupal core 7.x versions before 7.57 has an external link injection vu ... |
| CVE-2017-6929 | A jQuery cross site scripting vulnerability is present when making Aja ... |
| CVE-2017-6928 | Drupal core 7.x versions before 7.57 when using Drupal's private file ... |
| CVE-2017-6927 | Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 ... |
| CVE-2017-6922 | In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; P ... |
| CVE-2016-9452 | The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote a ... |
| CVE-2016-9451 | Confirmation forms in Drupal 7.x before 7.52 make it easier for remote ... |
| CVE-2016-9450 | The user password reset form in Drupal 8.x before 8.2.3 allows remote ... |
| CVE-2016-9449 | The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 mig ... |
| CVE-2016-7572 | The system.temporary route in Drupal 8.x before 8.1.10 does not proper ... |
| CVE-2016-7571 | Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 a ... |
| CVE-2016-7570 | Drupal 8.x before 8.1.10 does not properly check for "Administer comme ... |
| CVE-2016-6211 | The User module in Drupal 7.x before 7.44 allows remote authenticated ... |
| CVE-2016-3171 | Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before ... |
| CVE-2016-3170 | The "have you forgotten your password" links in the User module in Dru ... |
| CVE-2016-3169 | The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows r ... |
| CVE-2016-3168 | The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might ... |
| CVE-2016-3167 | Open redirect vulnerability in the drupal_goto function in Drupal 6.x ... |
| CVE-2016-3166 | CRLF injection vulnerability in the drupal_set_header function in Drup ... |
| CVE-2016-3165 | The Form API in Drupal 6.x before 6.38 ignores access restrictions on ... |
| CVE-2016-3164 | Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might al ... |
| CVE-2016-3163 | The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might ... |
| CVE-2016-3162 | The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows ... |
| CVE-2015-7943 | Open redirect vulnerability in the Overlay module in Drupal 7.x before ... |
| CVE-2015-6665 | Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal ... |
| CVE-2015-6661 | Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to ... |
| CVE-2015-6660 | The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not pr ... |
| CVE-2015-6659 | SQL injection vulnerability in the SQL comment filtering system in the ... |
| CVE-2015-6658 | Cross-site scripting (XSS) vulnerability in the Autocomplete system in ... |
| CVE-2015-3234 | The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows ... |
| CVE-2015-3233 | Open redirect vulnerability in the Overlay module in Drupal 7.x before ... |
| CVE-2015-3232 | Open redirect vulnerability in the Field UI module in Drupal 7.x befor ... |
| CVE-2015-3231 | The Render cache system in Drupal 7.x before 7.38, when used to cache ... |
| CVE-2015-2750 | Open redirect vulnerability in URL-related API functions in Drupal 6.x ... |
| CVE-2015-2749 | Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7 ... |
| CVE-2015-2559 | Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated ... |
| CVE-2014-9016 | The password hashing API in Drupal 7.x before 7.34 and the Secure Pass ... |
| CVE-2014-9015 | Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to ... |
| CVE-2014-5267 | modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 ... |
| CVE-2014-5266 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 a ... |
| CVE-2014-5265 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 a ... |
| CVE-2014-5022 | Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal ... |
| CVE-2014-5021 | Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x ... |
| CVE-2014-5020 | The File module in Drupal 7.x before 7.29 does not properly check perm ... |
| CVE-2014-5019 | The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 al ... |
| CVE-2014-3704 | The expandArguments function in the database abstraction API in Drupal ... |
| CVE-2014-2983 | Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate t ... |
| CVE-2014-1476 | The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an e ... |
| CVE-2014-1475 | The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows ... |
| CVE-2013-6389 | Open redirect vulnerability in the Overlay module in Drupal 7.x before ... |
| CVE-2013-6388 | Cross-site scripting (XSS) vulnerability in the Color module in Drupal ... |
| CVE-2013-6387 | Cross-site scripting (XSS) vulnerability in the Image module in Drupal ... |
| CVE-2013-6386 | Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand functi ... |
| CVE-2013-6385 | The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used ... |
| CVE-2013-1887 | Multiple cross-site scripting (XSS) vulnerabilities in the Views modul ... |
| CVE-2013-0316 | The Image module in Drupal 7.x before 7.20 allows remote attackers to ... |
| CVE-2013-0246 | The Image module in Drupal 7.x before 7.19, when a private file system ... |
| CVE-2013-0245 | The printer friendly version functionality in the Book module in Drupa ... |
| CVE-2013-0244 | Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and ... |
| CVE-2012-5653 | The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 ... |
| CVE-2012-5651 | Drupal 6.x before 6.27 and 7.x before 7.18 displays information for bl ... |
| CVE-2012-4554 | The OpenID module in Drupal 7.x before 7.16 allows remote OpenID serve ... |
| CVE-2012-4553 | Drupal 7.x before 7.16 allows remote attackers to obtain sensitive inf ... |
| CVE-2012-2922 | The request_path function in includes/bootstrap.inc in Drupal 7.14 and ... |
| CVE-2012-2153 | Drupal 7.x before 7.14 does not properly restrict access to nodes in a ... |
| CVE-2012-1591 | The image module in Drupal 7.x before 7.14 does not properly check per ... |
| CVE-2012-1590 | The forum list in Drupal 7.x before 7.14 does not properly check user ... |
| CVE-2012-1589 | Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 ... |
| CVE-2012-1588 | Algorithmic complexity vulnerability in the _filter_url function in th ... |
| CVE-2012-0827 | The File module in Drupal 7.x before 7.11, when using unspecified fiel ... |
| CVE-2012-0826 | Cross-site request forgery (CSRF) vulnerability in the Aggregator modu ... |
| CVE-2012-0825 | Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attrib ... |
| CVE-2011-2726 | An access bypass issue was found in Drupal 7.x before version 7.5. If ... |
| CVE-2011-2687 | Drupal 7.x before 7.3 allows remote attackers to bypass intended node_ ... |