Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/drupal/drupal@8.5.0-rc1

Type composer

Namespace drupal

Name drupal

Version 8.5.0-rc1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 8.6.16

Latest_non_vulnerable_version 11.0.8

Affected_by_vulnerabilities

url VCID-6c6t-kmb3-2qcm

vulnerability_id VCID-6c6t-kmb3-2qcm

summary

Cross-site Scripting
In Symfony, validation messages are not escaped, which can lead to XSS when user input is included.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-10909

reference_id

reference_type

scores

value	0.00355
scoring_system	epss
scoring_elements	0.58063
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-10909

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml

reference_url

https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2

reference_url

https://www.drupal.org/sa-core-2019-005

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2019-005

reference_url

https://www.synology.com/security/advisory/Synology_SA_19_19

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.synology.com/security/advisory/Synology_SA_19_19

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-10909

reference_id

CVE-2019-10909

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-10909

reference_url

https://symfony.com/cve-2019-10909

reference_id

CVE-2019-10909

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://symfony.com/cve-2019-10909

reference_url

https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

reference_id

CVE-2019-10909-ESCAPE-VALIDATION-MESSAGES-IN-THE-PHP-TEMPLATING-ENGINE

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

fixed_packages

url pkg:composer/drupal/drupal@8.5.15

purl pkg:composer/drupal/drupal@8.5.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wszp-2es5-z7fy

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.15

url pkg:composer/drupal/drupal@8.6.15

purl pkg:composer/drupal/drupal@8.6.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-wszp-2es5-z7fy

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.15

aliases CVE-2019-10909, GHSA-g996-q5r8-w7g2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6c6t-kmb3-2qcm

url VCID-bndv-n7w9-43b4

vulnerability_id VCID-bndv-n7w9-43b4

summary

URL Redirection to Untrusted Site ('Open Redirect')
Anonymous Open Redirect in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/drupal@8.6.2

purl pkg:composer/drupal/drupal@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2

aliases GMS-2018-60

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bndv-n7w9-43b4

url VCID-dnc7-jg8m-8fh3

vulnerability_id VCID-dnc7-jg8m-8fh3

summary

URL Redirection to Untrusted Site ('Open Redirect')
External URL injection through URL aliases in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/drupal@8.6.2

purl pkg:composer/drupal/drupal@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2

aliases GMS-2018-59

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dnc7-jg8m-8fh3

url VCID-e8un-nbkk-cbf9

vulnerability_id VCID-e8un-nbkk-cbf9

summary

Deserialization of Untrusted Data
Drupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-6338

reference_id

reference_type

scores

value	0.01047
scoring_system	epss
scoring_elements	0.77849
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-6338

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-6338

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-6338

reference_url

https://www.debian.org/security/2019/dsa-4370

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4370

reference_url

https://www.drupal.org/sa-core-2019-001

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2019-001

reference_url

http://www.securityfocus.com/bid/106706

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/106706

fixed_packages

url pkg:composer/drupal/drupal@8.5.9

purl pkg:composer/drupal/drupal@8.5.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.9

url pkg:composer/drupal/drupal@8.6.6

purl pkg:composer/drupal/drupal@8.6.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.6

aliases CVE-2019-6338, GHSA-6rmq-x2hv-vxpp

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e8un-nbkk-cbf9

url VCID-eyew-pw17-ryfj

vulnerability_id VCID-eyew-pw17-ryfj

summary Improper Access Control in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/drupal@8.6.2

purl pkg:composer/drupal/drupal@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2

aliases GMS-2018-58

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eyew-pw17-ryfj

url VCID-nn8g-m52e-5kfe

vulnerability_id VCID-nn8g-m52e-5kfe

summary

Code Injection
Injection in `DefaultMailSystem::mail()`.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/drupal@8.6.2

purl pkg:composer/drupal/drupal@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2

aliases GMS-2018-61

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nn8g-m52e-5kfe

url VCID-tbah-jrah-a3fg

vulnerability_id VCID-tbah-jrah-a3fg

summary Cross-site Scripting vulnerability in drupal.

references

reference_url	https://www.drupal.org/sa-core-2019-004
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2019-004

fixed_packages

url pkg:composer/drupal/drupal@8.6.12

purl pkg:composer/drupal/drupal@8.6.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-wszp-2es5-z7fy

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.12

aliases GMS-2019-148

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tbah-jrah-a3fg

url VCID-w3x8-db6e-kued

vulnerability_id VCID-w3x8-db6e-kued

summary

Improper Access Control
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/drupal@8.6.2

purl pkg:composer/drupal/drupal@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2

aliases GMS-2018-62

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w3x8-db6e-kued

url VCID-wszp-2es5-z7fy

vulnerability_id VCID-wszp-2es5-z7fy

summary

Moderately critical - Third-party libraries - SA-CORE-2019-007
The `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-11831

reference_id

reference_type

scores

value	0.28615
scoring_system	epss
scoring_elements	0.96622
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-11831

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml

reference_url

https://github.com/TYPO3/phar-stream-wrapper

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/phar-stream-wrapper

reference_url

https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1

reference_url

https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1

reference_url

https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/

reference_url

https://seclists.org/bugtraq/2019/May/36

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://seclists.org/bugtraq/2019/May/36

reference_url

https://typo3.org/security/advisory/typo3-psa-2019-007

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://typo3.org/security/advisory/typo3-psa-2019-007

reference_url	https://typo3.org/security/advisory/typo3-psa-2019-007/
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-psa-2019-007/

reference_url

https://www.debian.org/security/2019/dsa-4445

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4445

reference_url

https://www.drupal.org/sa-core-2019-007

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2019-007

reference_url	https://www.drupal.org/SA-CORE-2019-007
reference_id
reference_type
scores
url	https://www.drupal.org/SA-CORE-2019-007

reference_url

https://www.synology.com/security/advisory/Synology_SA_19_22

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.synology.com/security/advisory/Synology_SA_19_22

reference_url

http://www.securityfocus.com/bid/108302

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/108302

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-11831

reference_id

CVE-2019-11831

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-11831

reference_url	https://github.com/advisories/GHSA-xv7v-rf6g-xwrc
reference_id	GHSA-xv7v-rf6g-xwrc
reference_type
scores
url	https://github.com/advisories/GHSA-xv7v-rf6g-xwrc

fixed_packages

url	pkg:composer/drupal/drupal@8.6.16
purl	pkg:composer/drupal/drupal@8.6.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.16

url pkg:composer/drupal/drupal@8.7.1

purl pkg:composer/drupal/drupal@8.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jed8-4cv5-6bcr

vulnerability	VCID-tp81-dw6e-9qah

vulnerability	VCID-vjrr-h9sh-3bcu

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.1

aliases CVE-2019-11831, GHSA-xv7v-rf6g-xwrc

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wszp-2es5-z7fy

url VCID-x34m-u169-1bce

vulnerability_id VCID-x34m-u169-1bce

summary

Improper Input Validation
A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-6339

reference_id

reference_type

scores

value	0.76091
scoring_system	epss
scoring_elements	0.98939
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-6339

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-6339

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-6339

reference_url

https://www.debian.org/security/2019/dsa-4370

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4370

reference_url

https://www.drupal.org/sa-core-2019-002

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2019-002

fixed_packages

url pkg:composer/drupal/drupal@8.5.9

purl pkg:composer/drupal/drupal@8.5.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.9

url pkg:composer/drupal/drupal@8.6.6

purl pkg:composer/drupal/drupal@8.6.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-wszp-2es5-z7fy

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.6

aliases CVE-2019-6339, GHSA-8cw5-rv98-5c46

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x34m-u169-1bce

url VCID-zvtm-9bd5-ufgy

vulnerability_id VCID-zvtm-9bd5-ufgy

summary

XSS Vulnerability
CKEditor, a third-party JavaScript library included in Drupal core, is affected by a cross-site scripting (XSS) vulnerability. It's possible to execute XSS inside CKEditor when using the `image2` plugin.

references

reference_url	https://www.drupal.org/sa-core-2018-003
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-003

fixed_packages

url pkg:composer/drupal/drupal@8.5.2

purl pkg:composer/drupal/drupal@8.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c6t-kmb3-2qcm

vulnerability	VCID-bndv-n7w9-43b4

vulnerability	VCID-dnc7-jg8m-8fh3

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-eyew-pw17-ryfj

vulnerability	VCID-nn8g-m52e-5kfe

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-w3x8-db6e-kued

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.2

aliases SA-CORE-2018-003

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zvtm-9bd5-ufgy

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.0-rc1

Package Instance