Package Instance

reference_id

reference_type

scores

value	4.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-003

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	4.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-03T17:16:59Z/

url

https://www.drupal.org/sa-core-2025-003

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-31674

reference_id

CVE-2025-31674

reference_type

scores

value	4.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-31674

reference_url	https://github.com/advisories/GHSA-2qph-q8xw-gv7q
reference_id	GHSA-2qph-q8xw-gv7q
reference_type
scores
url	https://github.com/advisories/GHSA-2qph-q8xw-gv7q

fixed_packages

url pkg:composer/drupal/core@10.3.13

purl pkg:composer/drupal/core@10.3.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.13

url pkg:composer/drupal/core@10.4.3

purl pkg:composer/drupal/core@10.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.3

url pkg:composer/drupal/core@11.0.12

purl pkg:composer/drupal/core@11.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.12

url pkg:composer/drupal/core@11.1.3

purl pkg:composer/drupal/core@11.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.3

aliases CVE-2025-31674, GHSA-2qph-q8xw-gv7q

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2c5f-q858-huaw

url VCID-31qy-vagp-83b6

vulnerability_id VCID-31qy-vagp-83b6

summary

Exposure of Resource to Wrong Sphere
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13670

reference_id

reference_type

scores

value	0.00427
scoring_system	epss
scoring_elements	0.62662
published_at	2026-06-04T12:55:00Z

value	0.00427
scoring_system	epss
scoring_elements	0.62706
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13670

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d

reference_url

https://www.drupal.org/sa-core-2020-011

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2020-011

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-13670

reference_id

CVE-2020-13670

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13670

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml

reference_id

CVE-2020-13670.YAML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml

reference_id

CVE-2020-13670.YAML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml

reference_url

https://github.com/advisories/GHSA-mmjr-5q74-p3m4

reference_id

GHSA-mmjr-5q74-p3m4

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mmjr-5q74-p3m4

fixed_packages

url pkg:composer/drupal/core@9.0.6

purl pkg:composer/drupal/core@9.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5jy9-mhbb-nuh7

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-9dfs-rpqy-6kfa

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-uq9s-79g7-rqh6

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6

aliases CVE-2020-13670, GHSA-mmjr-5q74-p3m4

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-31qy-vagp-83b6

url VCID-3xk4-qwaq-5yaj

vulnerability_id VCID-3xk4-qwaq-5yaj

summary

Improper Access Control
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25278

reference_id

reference_type

scores

value	0.00479
scoring_system	epss
scoring_elements	0.6539
published_at	2026-06-04T12:55:00Z

value	0.00479
scoring_system	epss
scoring_elements	0.65441
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25278

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2022-013

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:39:47Z/

url

https://www.drupal.org/sa-core-2022-013

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25278

reference_id

CVE-2022-25278

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25278

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml

reference_id

CVE-2022-25278.YAML

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml

reference_url	https://github.com/advisories/GHSA-cfh2-7f6h-3m85
reference_id	GHSA-cfh2-7f6h-3m85
reference_type
scores
url	https://github.com/advisories/GHSA-cfh2-7f6h-3m85

fixed_packages

url pkg:composer/drupal/core@9.3.19

purl pkg:composer/drupal/core@9.3.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19

url pkg:composer/drupal/core@9.4.3

purl pkg:composer/drupal/core@9.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3

aliases CVE-2022-25278, GHSA-cfh2-7f6h-3m85

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3xk4-qwaq-5yaj

url VCID-4p4c-7rdc-37fa

vulnerability_id VCID-4p4c-7rdc-37fa

summary

Drupal Full Path Disclosure
`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45440

reference_id

reference_type

scores

value	0.86689
scoring_system	epss
scoring_elements	0.9944
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45440

reference_url

https://github.com/drupal/drupal

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/drupal

reference_url

https://github.com/github/advisory-database/pull/4827

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/4827

reference_url

https://www.drupal.org/project/drupal/issues/3457781

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/

url

https://www.drupal.org/project/drupal/issues/3457781

reference_url

https://www.drupal.org/project/drupal/releases/10.2.9

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/project/drupal/releases/10.2.9

reference_url

https://www.drupal.org/project/drupal/releases/10.3.6

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/project/drupal/releases/10.3.6

reference_url

https://www.drupal.org/project/drupal/releases/11.0.5

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/project/drupal/releases/11.0.5

reference_url

https://www.exploit-db.com/exploits/52266

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.exploit-db.com/exploits/52266

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py
reference_id	CVE-2024-45440
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-45440

reference_id

CVE-2024-45440

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-45440

reference_url

https://senscybersecurity.nl/CVE-2024-45440-Explained/

reference_id

CVE-2024-45440-Explained

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/

url

https://senscybersecurity.nl/CVE-2024-45440-Explained/

reference_url

https://senscybersecurity.nl/CVE-2024-45440-Explained

reference_id

CVE-2024-45440-EXPLAINED

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://senscybersecurity.nl/CVE-2024-45440-Explained

reference_url

https://github.com/advisories/GHSA-mg8j-w93w-xjgc

reference_id

GHSA-mg8j-w93w-xjgc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mg8j-w93w-xjgc

fixed_packages

url pkg:composer/drupal/core@10.2.9

purl pkg:composer/drupal/core@10.2.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-jyz4-ymrp-pka7

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.9

url pkg:composer/drupal/core@10.3.0-beta1

purl pkg:composer/drupal/core@10.3.0-beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.0-beta1

url pkg:composer/drupal/core@10.3.6

purl pkg:composer/drupal/core@10.3.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.6

url	pkg:composer/drupal/core@11.0.0-alpha1
purl	pkg:composer/drupal/core@11.0.0-alpha1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.0-alpha1

url pkg:composer/drupal/core@11.0.5

purl pkg:composer/drupal/core@11.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.5

aliases CVE-2024-45440, GHSA-mg8j-w93w-xjgc

risk_score 10.0

exploitability 2.0

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4p4c-7rdc-37fa

url VCID-54qh-fz2a-cyh6

vulnerability_id VCID-54qh-fz2a-cyh6

summary

Generation of Error Message Containing Sensitive Information
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-5256

reference_id

reference_type

scores

value	0.01295
scoring_system	epss
scoring_elements	0.80058
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-5256

reference_url

reference_id

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742

reference_url

reference_id

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742

reference_url

https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc

reference_id

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc

reference_url

https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24

reference_id

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24

reference_url

https://www.drupal.org/sa-core-2023-006

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T18:22:43Z/

url

https://www.drupal.org/sa-core-2023-006

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-5256

reference_id

CVE-2023-5256

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-5256

reference_url	https://github.com/advisories/GHSA-rjqg-3h9m-fx5x
reference_id	GHSA-rjqg-3h9m-fx5x
reference_type
scores
url	https://github.com/advisories/GHSA-rjqg-3h9m-fx5x

fixed_packages

url pkg:composer/drupal/core@9.5.11

purl pkg:composer/drupal/core@9.5.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.11

url pkg:composer/drupal/core@10.0.11

purl pkg:composer/drupal/core@10.0.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-jyz4-ymrp-pka7

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.11

url pkg:composer/drupal/core@10.1.4

purl pkg:composer/drupal/core@10.1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-84g5-ckkq-hygm

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-jyz4-ymrp-pka7

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.1.4

aliases CVE-2023-5256, GHSA-rjqg-3h9m-fx5x

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-54qh-fz2a-cyh6

url VCID-5jy9-mhbb-nuh7

vulnerability_id VCID-5jy9-mhbb-nuh7

summary

Deserialization of Untrusted Data
Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28948.json

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28948.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-28948

reference_id

reference_type

scores

value	0.76873
scoring_system	epss
scoring_elements	0.98976
published_at	2026-06-05T12:55:00Z

value	0.76873
scoring_system	epss
scoring_elements	0.98975
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-28948

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-28948

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1904001
reference_id	1904001
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1904001

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108
reference_id	976108
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108

reference_url

reference_id

CVE-2020-28948

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-28948

reference_url	https://access.redhat.com/errata/RHSA-2022:6541
reference_id	RHSA-2022:6541
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6541

reference_url	https://access.redhat.com/errata/RHSA-2022:6542
reference_id	RHSA-2022:6542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6542

reference_url	https://access.redhat.com/errata/RHSA-2022:7340
reference_id	RHSA-2022:7340
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7340

reference_url	https://usn.ubuntu.com/4654-1/
reference_id	USN-4654-1
reference_type
scores
url	https://usn.ubuntu.com/4654-1/

reference_url	https://usn.ubuntu.com/6981-1/
reference_id	USN-6981-1
reference_type
scores
url	https://usn.ubuntu.com/6981-1/

reference_url	https://usn.ubuntu.com/6981-2/
reference_id	USN-6981-2
reference_type
scores
url	https://usn.ubuntu.com/6981-2/

fixed_packages

url pkg:composer/drupal/core@9.0.9

purl pkg:composer/drupal/core@9.0.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.9

url pkg:composer/drupal/core@9.1.0-alpha1

purl pkg:composer/drupal/core@9.1.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.0-alpha1

aliases CVE-2020-28948, GHSA-jh5x-hfhg-78jq

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5jy9-mhbb-nuh7

url VCID-67da-qxh5-aydx

vulnerability_id VCID-67da-qxh5-aydx

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36193.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36193.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-36193

reference_id

reference_type

scores

value	0.71148
scoring_system	epss
scoring_elements	0.9873
published_at	2026-06-04T12:55:00Z

value	0.71148
scoring_system	epss
scoring_elements	0.98731
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-36193

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

reference_url

https://github.com/pear/Archive_Tar/issues/35

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pear/Archive_Tar/issues/35

reference_url

https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html

reference_url

https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193

reference_url

https://www.debian.org/security/2021/dsa-4894

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://www.debian.org/security/2021/dsa-4894

reference_url

https://www.drupal.org/sa-core-2021-001

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://www.drupal.org/sa-core-2021-001

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1942961
reference_id	1942961
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1942961

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

reference_id

42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980428
reference_id	980428
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980428

reference_url	https://security.archlinux.org/ASA-202102-7
reference_id	ASA-202102-7
reference_type
scores
url	https://security.archlinux.org/ASA-202102-7

reference_url

reference_id

AVG-1463

reference_type

scores

value	Critical
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1464

reference_url

reference_id

AVG-1464

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1464

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-36193

reference_id

CVE-2020-36193

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-36193

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-36193.yaml

reference_id

CVE-2020-36193.YAML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-36193.yaml

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/

reference_id

FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/

reference_url	https://github.com/advisories/GHSA-rpw6-9xfx-jvcx
reference_id	GHSA-rpw6-9xfx-jvcx
reference_type
scores
url	https://github.com/advisories/GHSA-rpw6-9xfx-jvcx

reference_url	https://access.redhat.com/errata/RHSA-2022:6541
reference_id	RHSA-2022:6541
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6541

reference_url	https://access.redhat.com/errata/RHSA-2022:6542
reference_id	RHSA-2022:6542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6542

reference_url	https://access.redhat.com/errata/RHSA-2022:7340
reference_id	RHSA-2022:7340
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7340

reference_url	https://usn.ubuntu.com/4723-1/
reference_id	USN-4723-1
reference_type
scores
url	https://usn.ubuntu.com/4723-1/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

reference_id

VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/

reference_id

YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-04T20:21:16Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/

fixed_packages

url pkg:composer/drupal/core@9.0.11

purl pkg:composer/drupal/core@9.0.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.11

url pkg:composer/drupal/core@9.1.0-alpha1

purl pkg:composer/drupal/core@9.1.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.0-alpha1

url pkg:composer/drupal/core@9.1.3

purl pkg:composer/drupal/core@9.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-2fas-m6vh-myhc

vulnerability	VCID-2t34-82p3-73c3

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-7v89-2sss-hfaz

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-dav9-pgdh-8yey

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-pzp5-2bpz-jfe2

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.3

aliases CVE-2020-36193, GHSA-rpw6-9xfx-jvcx

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-67da-qxh5-aydx

url VCID-6x4v-da7x-uyhh

vulnerability_id VCID-6x4v-da7x-uyhh

summary

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.

This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-55638

reference_id

reference_type

scores

value	0.09687
scoring_system	epss
scoring_elements	0.93075
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-55638

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2024-008

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:19:33Z/

url

https://www.drupal.org/sa-core-2024-008

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-55638

reference_id

CVE-2024-55638

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-55638

reference_url	https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
reference_id	GHSA-gvf2-2f4g-jqf4
reference_type
scores
url	https://github.com/advisories/GHSA-gvf2-2f4g-jqf4

fixed_packages

url pkg:composer/drupal/core@10.2.11

purl pkg:composer/drupal/core@10.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11

url pkg:composer/drupal/core@10.3.9

purl pkg:composer/drupal/core@10.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9

aliases CVE-2024-55638, GHSA-gvf2-2f4g-jqf4

risk_score 4.4

exploitability 0.5

weighted_severity 8.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6x4v-da7x-uyhh

url VCID-9dfs-rpqy-6kfa

vulnerability_id VCID-9dfs-rpqy-6kfa

summary

Injection Vulnerability
archive_tar has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed.

references

reference_url

http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28949.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28949.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-28949

reference_id

reference_type

scores

value	0.93364
scoring_system	epss
scoring_elements	0.99822
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-28949

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1910323
reference_id	1910323
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1910323

reference_url

reference_id

42GPGVVFTLJYAKRI75IVB5R45NYQGEUR

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

reference_id

4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

reference_id

5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108
reference_id	976108
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-28949

reference_id

CVE-2020-28949

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-28949

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-28949.yaml

reference_id

CVE-2020-28949.YAML

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-28949.yaml

reference_url	https://github.com/advisories/GHSA-75c5-f4gw-38r9
reference_id	GHSA-75c5-f4gw-38r9
reference_type
scores
url	https://github.com/advisories/GHSA-75c5-f4gw-38r9

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

reference_id

KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

reference_id

NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

reference_url	https://access.redhat.com/errata/RHSA-2022:6541
reference_id	RHSA-2022:6541
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6541

reference_url	https://access.redhat.com/errata/RHSA-2022:6542
reference_id	RHSA-2022:6542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6542

reference_url	https://access.redhat.com/errata/RHSA-2022:7340
reference_id	RHSA-2022:7340
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7340

reference_url	https://usn.ubuntu.com/4654-1/
reference_id	USN-4654-1
reference_type
scores
url	https://usn.ubuntu.com/4654-1/

reference_url	https://usn.ubuntu.com/6981-1/
reference_id	USN-6981-1
reference_type
scores
url	https://usn.ubuntu.com/6981-1/

reference_url	https://usn.ubuntu.com/6981-2/
reference_id	USN-6981-2
reference_type
scores
url	https://usn.ubuntu.com/6981-2/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

reference_id

VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:49:30Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

fixed_packages

url pkg:composer/drupal/core@9.0.9

purl pkg:composer/drupal/core@9.0.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.9

url pkg:composer/drupal/core@9.1.0-alpha1

purl pkg:composer/drupal/core@9.1.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.0-alpha1

aliases CVE-2020-28949, GHSA-75c5-f4gw-38r9

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9dfs-rpqy-6kfa

url VCID-9rmk-e8zd-9bcw

vulnerability_id VCID-9rmk-e8zd-9bcw

summary

Incorrect Default Permissions
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module does not sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13667

reference_id

reference_type

scores

value	0.00144
scoring_system	epss
scoring_elements	0.34495
published_at	2026-06-05T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34397
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13667

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13667.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13667.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13667.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13667.yaml

reference_url

https://www.drupal.org/sa-core-2020-008

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2020-008

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-13667

reference_id

CVE-2020-13667

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13667

reference_url

https://github.com/advisories/GHSA-x2q9-r8gm-f657

reference_id

GHSA-x2q9-r8gm-f657

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x2q9-r8gm-f657

fixed_packages

url pkg:composer/drupal/core@9.0.6

purl pkg:composer/drupal/core@9.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5jy9-mhbb-nuh7

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-9dfs-rpqy-6kfa

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-uq9s-79g7-rqh6

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6

aliases CVE-2020-13667, GHSA-x2q9-r8gm-f657

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9rmk-e8zd-9bcw

url VCID-a3s2-c4k2-4ufn

vulnerability_id VCID-a3s2-c4k2-4ufn

summary Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13083

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01484
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13083

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-008

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-18T20:31:33Z/

url

https://www.drupal.org/sa-core-2025-008

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13083

reference_id

CVE-2025-13083

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	1.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13083

reference_url

https://github.com/advisories/GHSA-mhpg-hpj5-73r2

reference_id

GHSA-mhpg-hpj5-73r2

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mhpg-hpj5-73r2

fixed_packages

url	pkg:composer/drupal/core@10.4.9
purl	pkg:composer/drupal/core@10.4.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9

url	pkg:composer/drupal/core@10.5.6
purl	pkg:composer/drupal/core@10.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6

url	pkg:composer/drupal/core@11.1.9
purl	pkg:composer/drupal/core@11.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9

url	pkg:composer/drupal/core@11.2.8
purl	pkg:composer/drupal/core@11.2.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8

aliases CVE-2025-13083, GHSA-mhpg-hpj5-73r2

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a3s2-c4k2-4ufn

url VCID-a7ss-tkb6-gkge

vulnerability_id VCID-a7ss-tkb6-gkge

summary

Improper access control
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25275

reference_id

reference_type

scores

value	0.00579
scoring_system	epss
scoring_elements	0.69245
published_at	2026-06-04T12:55:00Z

value	0.00579
scoring_system	epss
scoring_elements	0.69285
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25275

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf

reference_url

https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116

reference_url

https://www.drupal.org/sa-core-2022-012

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:45:46Z/

url

https://www.drupal.org/sa-core-2022-012

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25275

reference_id

CVE-2022-25275

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25275

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml

reference_id

CVE-2022-25275.YAML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml

reference_url

https://github.com/advisories/GHSA-xh3v-6f9j-wxw3

reference_id

GHSA-xh3v-6f9j-wxw3

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xh3v-6f9j-wxw3

fixed_packages

url pkg:composer/drupal/core@9.3.19

purl pkg:composer/drupal/core@9.3.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19

url pkg:composer/drupal/core@9.4.3

purl pkg:composer/drupal/core@9.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3

aliases CVE-2022-25275, GHSA-xh3v-6f9j-wxw3, GMS-2022-3362

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a7ss-tkb6-gkge

url VCID-ard5-3cjv-1beu

vulnerability_id VCID-ard5-3cjv-1beu

summary

Improper Input Validation
guzzlehttp/psr7 is a PSR-7 HTTP message library used in drupal. Versions prior to 1.8.4 and 2.1.1 is vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-24775

reference_id

reference_type

scores

value	0.00931
scoring_system	epss
scoring_elements	0.76518
published_at	2026-06-05T12:55:00Z

value	0.00931
scoring_system	epss
scoring_elements	0.76489
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-24775

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml

reference_url

https://github.com/guzzle/psr7

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/guzzle/psr7

reference_url

https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/

url

https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1

reference_url

https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/

url

https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc

reference_url

https://www.drupal.org/sa-core-2022-006

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/

url

https://www.drupal.org/sa-core-2022-006

reference_url

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236
reference_id	1008236
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-24775

reference_id

CVE-2022-24775

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-24775

reference_url

https://github.com/advisories/GHSA-q7rv-6hp3-vh96

reference_id

GHSA-q7rv-6hp3-vh96

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q7rv-6hp3-vh96

reference_url

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

reference_id

GHSA-q7rv-6hp3-vh96

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/

url

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

reference_url	https://usn.ubuntu.com/6670-1/
reference_id	USN-6670-1
reference_type
scores
url	https://usn.ubuntu.com/6670-1/

fixed_packages

url pkg:composer/drupal/core@9.2.16

purl pkg:composer/drupal/core@9.2.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5nbj-5x5a-93hz

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.16

url pkg:composer/drupal/core@9.3.0-alpha1

purl pkg:composer/drupal/core@9.3.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.0-alpha1

url pkg:composer/drupal/core@9.3.9

purl pkg:composer/drupal/core@9.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5nbj-5x5a-93hz

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-g1ew-tnk9-cuh7

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.9

url pkg:composer/drupal/core@10.0.0-alpha1

purl pkg:composer/drupal/core@10.0.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.0-alpha1

aliases CVE-2022-24775, GHSA-q7rv-6hp3-vh96

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ard5-3cjv-1beu

url VCID-avmn-kqky-83dd

vulnerability_id VCID-avmn-kqky-83dd

summary

Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13669

reference_id

reference_type

scores

value	0.00204
scoring_system	epss
scoring_elements	0.42349
published_at	2026-06-04T12:55:00Z

value	0.00204
scoring_system	epss
scoring_elements	0.42424
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13669

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2020-010

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2020-010

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-13669

reference_id

CVE-2020-13669

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13669

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml

reference_id

CVE-2020-13669.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml

reference_id

CVE-2020-13669.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml

reference_url

https://github.com/advisories/GHSA-c533-c843-67h8

reference_id

GHSA-c533-c843-67h8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c533-c843-67h8

fixed_packages

url pkg:composer/drupal/core@9.0.6

purl pkg:composer/drupal/core@9.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5jy9-mhbb-nuh7

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-9dfs-rpqy-6kfa

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-uq9s-79g7-rqh6

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6

aliases CVE-2020-13669, GHSA-c533-c843-67h8

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-avmn-kqky-83dd

url VCID-b266-wste-eqh6

vulnerability_id VCID-b266-wste-eqh6

summary

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.

This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-55637

reference_id

reference_type

scores

value	0.09982
scoring_system	epss
scoring_elements	0.93194
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-55637

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/1664030d399c73b4144f410f2ccc68c66a947f8d

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/1664030d399c73b4144f410f2ccc68c66a947f8d

reference_url

https://www.drupal.org/sa-core-2024-007

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:20:25Z/

url

https://www.drupal.org/sa-core-2024-007

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-55637

reference_id

CVE-2024-55637

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-55637

reference_url	https://github.com/advisories/GHSA-w6rx-9g2x-mg5g
reference_id	GHSA-w6rx-9g2x-mg5g
reference_type
scores
url	https://github.com/advisories/GHSA-w6rx-9g2x-mg5g

fixed_packages

url pkg:composer/drupal/core@10.2.11

purl pkg:composer/drupal/core@10.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11

url pkg:composer/drupal/core@10.3.9

purl pkg:composer/drupal/core@10.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9

url pkg:composer/drupal/core@11.0.8

purl pkg:composer/drupal/core@11.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8

aliases CVE-2024-55637, GHSA-w6rx-9g2x-mg5g

risk_score 4.4

exploitability 0.5

weighted_severity 8.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b266-wste-eqh6

url VCID-b8fw-ya7y-h7d8

vulnerability_id VCID-b8fw-ya7y-h7d8

summary

Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-3057

reference_id

reference_type

scores

value	0.00406
scoring_system	epss
scoring_elements	0.61443
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-3057

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-001

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T13:26:50Z/

url

https://www.drupal.org/sa-core-2025-001

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-3057

reference_id

CVE-2025-3057

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-3057

reference_url	https://github.com/advisories/GHSA-39g6-x4x8-5jcm
reference_id	GHSA-39g6-x4x8-5jcm
reference_type
scores
url	https://github.com/advisories/GHSA-39g6-x4x8-5jcm

fixed_packages

url pkg:composer/drupal/core@10.3.13

purl pkg:composer/drupal/core@10.3.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.13

url pkg:composer/drupal/core@10.4.3

purl pkg:composer/drupal/core@10.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.3

url pkg:composer/drupal/core@11.0.12

purl pkg:composer/drupal/core@11.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.12

url pkg:composer/drupal/core@11.1.3

purl pkg:composer/drupal/core@11.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.3

aliases CVE-2025-3057, GHSA-39g6-x4x8-5jcm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b8fw-ya7y-h7d8

url VCID-bge7-rqsx-gfee

vulnerability_id VCID-bge7-rqsx-gfee

summary

Access bypass in Drupal core
The file download facility does not sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-31250

reference_id

reference_type

scores

value	0.00361
scoring_system	epss
scoring_elements	0.58579
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-31250

reference_url

reference_id

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2023-005

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T16:49:01Z/

url

https://www.drupal.org/sa-core-2023-005

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-31250

reference_id

CVE-2023-31250

reference_type

scores

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-31250

reference_url	https://github.com/advisories/GHSA-8849-cv9f-vccm
reference_id	GHSA-8849-cv9f-vccm
reference_type
scores
url	https://github.com/advisories/GHSA-8849-cv9f-vccm

fixed_packages

url pkg:composer/drupal/core@9.4.14

purl pkg:composer/drupal/core@9.4.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.14

url pkg:composer/drupal/core@9.5.8

purl pkg:composer/drupal/core@9.5.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.8

url pkg:composer/drupal/core@10.0.8

purl pkg:composer/drupal/core@10.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-jyz4-ymrp-pka7

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.8

aliases CVE-2023-31250, GHSA-8849-cv9f-vccm

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bge7-rqsx-gfee

url VCID-deks-ns51-nbdg

vulnerability_id VCID-deks-ns51-nbdg

summary

Drupal Core Vulnerable to Forceful Browsing
Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-31673

reference_id

reference_type

scores

value	0.00173
scoring_system	epss
scoring_elements	0.3855
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-31673

reference_url

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-002

reference_url

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:47:04Z/

url

https://www.drupal.org/sa-core-2025-002

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-31673

reference_id

CVE-2025-31673

reference_type

scores

value	4.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-31673

reference_url	https://github.com/advisories/GHSA-wpp8-fjgf-pwc7
reference_id	GHSA-wpp8-fjgf-pwc7
reference_type
scores
url	https://github.com/advisories/GHSA-wpp8-fjgf-pwc7

fixed_packages

url pkg:composer/drupal/core@10.3.13

purl pkg:composer/drupal/core@10.3.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.13

url pkg:composer/drupal/core@10.4.3

purl pkg:composer/drupal/core@10.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.3

url pkg:composer/drupal/core@11.0.12

purl pkg:composer/drupal/core@11.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.12

url pkg:composer/drupal/core@11.1.3

purl pkg:composer/drupal/core@11.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.3

aliases CVE-2025-31673, GHSA-wpp8-fjgf-pwc7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-deks-ns51-nbdg

url VCID-dyhz-g3nv-yuc3

vulnerability_id VCID-dyhz-g3nv-yuc3

summary

Lack of domain validation in Druple core
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25276

reference_id

reference_type

scores

value	0.01831
scoring_system	epss
scoring_elements	0.83257
published_at	2026-06-04T12:55:00Z

value	0.01831
scoring_system	epss
scoring_elements	0.83283
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25276

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2022-015

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2022-015

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25276

reference_id

CVE-2022-25276

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25276

reference_url	https://github.com/advisories/GHSA-4wfq-jc9h-vpcx
reference_id	GHSA-4wfq-jc9h-vpcx
reference_type
scores
url	https://github.com/advisories/GHSA-4wfq-jc9h-vpcx

fixed_packages

url pkg:composer/drupal/core@9.3.19

purl pkg:composer/drupal/core@9.3.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19

url pkg:composer/drupal/core@9.4.3

purl pkg:composer/drupal/core@9.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3

aliases CVE-2022-25276, GHSA-4wfq-jc9h-vpcx

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dyhz-g3nv-yuc3

url VCID-egtv-y9w1-skgr

vulnerability_id VCID-egtv-y9w1-skgr

summary

Improper Input Validation
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25273

reference_id

reference_type

scores

value	0.0047
scoring_system	epss
scoring_elements	0.64955
published_at	2026-06-05T12:55:00Z

value	0.0047
scoring_system	epss
scoring_elements	0.64912
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25273

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2022-008

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:19:11Z/

url

https://www.drupal.org/sa-core-2022-008

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25273

reference_id

CVE-2022-25273

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25273

reference_url	https://github.com/advisories/GHSA-g36h-4jr6-qmm9
reference_id	GHSA-g36h-4jr6-qmm9
reference_type
scores
url	https://github.com/advisories/GHSA-g36h-4jr6-qmm9

fixed_packages

url pkg:composer/drupal/core@9.2.18

purl pkg:composer/drupal/core@9.2.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5nbj-5x5a-93hz

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.18

url pkg:composer/drupal/core@9.3.12

purl pkg:composer/drupal/core@9.3.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5nbj-5x5a-93hz

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.12

aliases CVE-2022-25273, GHSA-g36h-4jr6-qmm9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-egtv-y9w1-skgr

url VCID-hay8-hvsq-33bm

vulnerability_id VCID-hay8-hvsq-33bm

summary

Drupal Core Cross-Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-31675

reference_id

reference_type

scores

value	0.00088
scoring_system	epss
scoring_elements	0.25223
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-31675

reference_url

https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T18:21:31Z/

url

https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004

reference_url

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-004

reference_url

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T18:21:31Z/

url

https://www.drupal.org/sa-core-2025-004

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-31675

reference_id

CVE-2025-31675

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-31675

reference_url

https://www.herodevs.com/vulnerability-directory/cve-2025-31675

reference_id

CVE-2025-31675

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	1.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T18:21:31Z/

url

https://www.herodevs.com/vulnerability-directory/cve-2025-31675

reference_url	https://github.com/advisories/GHSA-m4wj-hhwj-47qp
reference_id	GHSA-m4wj-hhwj-47qp
reference_type
scores
url	https://github.com/advisories/GHSA-m4wj-hhwj-47qp

fixed_packages

url pkg:composer/drupal/core@10.3.14

purl pkg:composer/drupal/core@10.3.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.14

url pkg:composer/drupal/core@10.4.5

purl pkg:composer/drupal/core@10.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.5

url pkg:composer/drupal/core@11.0.13

purl pkg:composer/drupal/core@11.0.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.13

url pkg:composer/drupal/core@11.1.5

purl pkg:composer/drupal/core@11.1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.5

aliases CVE-2025-31675, GHSA-m4wj-hhwj-47qp

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hay8-hvsq-33bm

url VCID-hkch-a5yn-jyg1

vulnerability_id VCID-hkch-a5yn-jyg1

summary Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-39261

reference_id

reference_type

scores

value	0.09505
scoring_system	epss
scoring_elements	0.92989
published_at	2026-06-04T12:55:00Z

value	0.09505
scoring_system	epss
scoring_elements	0.93
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-39261

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39261
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39261

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yaml

reference_url

https://github.com/twigphp/Twig

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/twigphp/Twig

reference_url

https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b

reference_url

https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33

reference_url

https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-39261

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-39261

reference_url

https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader

reference_url

https://www.debian.org/security/2022/dsa-5248

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://www.debian.org/security/2022/dsa-5248

reference_url

https://www.drupal.org/sa-core-2022-016

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://www.drupal.org/sa-core-2022-016

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991
reference_id	1020991
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/

reference_id

2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/

reference_id

AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/

reference_url

https://github.com/advisories/GHSA-52m2-vc4m-jj33

reference_id

GHSA-52m2-vc4m-jj33

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-52m2-vc4m-jj33

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/

reference_id

NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/

reference_id

TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/

reference_url	https://usn.ubuntu.com/5947-1/
reference_id	USN-5947-1
reference_type
scores
url	https://usn.ubuntu.com/5947-1/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/

reference_id

WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/

reference_id

YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/

fixed_packages

url pkg:composer/drupal/core@9.3.22

purl pkg:composer/drupal/core@9.3.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.22

url pkg:composer/drupal/core@9.4.0-alpha1

purl pkg:composer/drupal/core@9.4.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.0-alpha1

url pkg:composer/drupal/core@9.4.7

purl pkg:composer/drupal/core@9.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.7

url pkg:composer/drupal/core@9.5.0-beta1

purl pkg:composer/drupal/core@9.5.0-beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.0-beta1

aliases CVE-2022-39261, GHSA-52m2-vc4m-jj33

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hkch-a5yn-jyg1

url VCID-j7bj-atys-qfg3

vulnerability_id VCID-j7bj-atys-qfg3

summary

Drupal core Access bypass
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-55634

reference_id

reference_type

scores

value	0.01148
scoring_system	epss
scoring_elements	0.7884
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-55634

reference_url

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934

reference_url

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934

reference_url

https://www.drupal.org/sa-core-2024-004

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-11T16:38:29Z/

url

https://www.drupal.org/sa-core-2024-004

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-55634

reference_id

CVE-2024-55634

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-55634

reference_url	https://github.com/advisories/GHSA-7cwc-fjqm-8vh8
reference_id	GHSA-7cwc-fjqm-8vh8
reference_type
scores
url	https://github.com/advisories/GHSA-7cwc-fjqm-8vh8

fixed_packages

url pkg:composer/drupal/core@10.2.11

purl pkg:composer/drupal/core@10.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11

url pkg:composer/drupal/core@10.3.9

purl pkg:composer/drupal/core@10.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9

url pkg:composer/drupal/core@11.0.8

purl pkg:composer/drupal/core@11.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8

aliases CVE-2024-55634, GHSA-7cwc-fjqm-8vh8

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j7bj-atys-qfg3

url VCID-kzrs-mrga-nyej

vulnerability_id VCID-kzrs-mrga-nyej

summary User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13082

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.13922
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13082

reference_url

reference_id

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-007

reference_url

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-18T20:32:40Z/

url

https://www.drupal.org/sa-core-2025-007

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13082

reference_id

CVE-2025-13082

reference_type

scores

value	2.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13082

reference_url

https://github.com/advisories/GHSA-h89p-5896-f4q8

reference_id

GHSA-h89p-5896-f4q8

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h89p-5896-f4q8

fixed_packages

url	pkg:composer/drupal/core@10.4.9
purl	pkg:composer/drupal/core@10.4.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9

url	pkg:composer/drupal/core@10.5.6
purl	pkg:composer/drupal/core@10.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6

url	pkg:composer/drupal/core@11.1.9
purl	pkg:composer/drupal/core@11.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9

url	pkg:composer/drupal/core@11.2.8
purl	pkg:composer/drupal/core@11.2.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8

aliases CVE-2025-13082, GHSA-h89p-5896-f4q8

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kzrs-mrga-nyej

url VCID-nacy-y1qt-5yhb

vulnerability_id VCID-nacy-y1qt-5yhb

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13668

reference_id

reference_type

scores

value	0.00223
scoring_system	epss
scoring_elements	0.44935
published_at	2026-06-04T12:55:00Z

value	0.00223
scoring_system	epss
scoring_elements	0.45004
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13668

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8

reference_url

https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb

reference_url

https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13668

reference_url

reference_id

CVE-2020-13668

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13668

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml

reference_id

CVE-2020-13668.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml

reference_id

CVE-2020-13668.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml

reference_url

https://github.com/advisories/GHSA-m6q5-wv4x-fv6h

reference_id

GHSA-m6q5-wv4x-fv6h

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m6q5-wv4x-fv6h

fixed_packages

url pkg:composer/drupal/core@9.0.6

purl pkg:composer/drupal/core@9.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5jy9-mhbb-nuh7

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-9dfs-rpqy-6kfa

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-uq9s-79g7-rqh6

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6

aliases CVE-2020-13668, GHSA-m6q5-wv4x-fv6h

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nacy-y1qt-5yhb

url VCID-p54u-b18k-jyft

vulnerability_id VCID-p54u-b18k-jyft

summary Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13080

reference_id

reference_type

scores

value	0.00093
scoring_system	epss
scoring_elements	0.26138
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13080

reference_url

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-005

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-18T20:35:13Z/

url

https://www.drupal.org/sa-core-2025-005

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13080

reference_id

CVE-2025-13080

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13080

reference_url

https://github.com/advisories/GHSA-83v7-c2cf-p9c2

reference_id

GHSA-83v7-c2cf-p9c2

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-83v7-c2cf-p9c2

fixed_packages

url	pkg:composer/drupal/core@10.4.9
purl	pkg:composer/drupal/core@10.4.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9

url	pkg:composer/drupal/core@10.5.6
purl	pkg:composer/drupal/core@10.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6

url	pkg:composer/drupal/core@11.1.9
purl	pkg:composer/drupal/core@11.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9

url	pkg:composer/drupal/core@11.2.8
purl	pkg:composer/drupal/core@11.2.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8

aliases CVE-2025-13080, GHSA-83v7-c2cf-p9c2

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p54u-b18k-jyft

url VCID-qwge-qrwn-1faj

vulnerability_id VCID-qwge-qrwn-1faj

summary

Drupal Core Cross-Site Scripting (XSS)
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-12393

reference_id

reference_type

scores

value	0.02544
scoring_system	epss
scoring_elements	0.85769
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-12393

reference_url

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/276ac67ad891605052e0a24fb36ece9caaa511e8

reference_url

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/276ac67ad891605052e0a24fb36ece9caaa511e8

reference_url

https://www.drupal.org/sa-core-2024-003

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:36:16Z/

url

https://www.drupal.org/sa-core-2024-003

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-12393

reference_id

CVE-2024-12393

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-12393

reference_url	https://github.com/advisories/GHSA-8mvq-8h2v-j9vf
reference_id	GHSA-8mvq-8h2v-j9vf
reference_type
scores
url	https://github.com/advisories/GHSA-8mvq-8h2v-j9vf

fixed_packages

url pkg:composer/drupal/core@10.2.11

purl pkg:composer/drupal/core@10.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11

url pkg:composer/drupal/core@10.3.9

purl pkg:composer/drupal/core@10.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9

url pkg:composer/drupal/core@11.0.8

purl pkg:composer/drupal/core@11.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8

aliases CVE-2024-12393, GHSA-8mvq-8h2v-j9vf

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qwge-qrwn-1faj

url VCID-rd4g-h1j9-23cb

vulnerability_id VCID-rd4g-h1j9-23cb

summary

Unrestricted Upload of File with Dangerous Type
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously does not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25277

reference_id

reference_type

scores

value	0.02448
scoring_system	epss
scoring_elements	0.85496
published_at	2026-06-05T12:55:00Z

value	0.02448
scoring_system	epss
scoring_elements	0.85472
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25277

reference_url

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17

reference_url

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17

reference_url

https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a

reference_url

https://www.drupal.org/sa-core-2022-014

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-03T18:41:13Z/

url

https://www.drupal.org/sa-core-2022-014

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25277

reference_id

CVE-2022-25277

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25277

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml

reference_id

CVE-2022-25277.YAML

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml

reference_url

https://github.com/advisories/GHSA-6955-67hm-vjjq

reference_id

GHSA-6955-67hm-vjjq

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6955-67hm-vjjq

fixed_packages

url pkg:composer/drupal/core@9.3.19

purl pkg:composer/drupal/core@9.3.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19

url pkg:composer/drupal/core@9.4.3

purl pkg:composer/drupal/core@9.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3

aliases CVE-2022-25277, GHSA-6955-67hm-vjjq, GMS-2022-3361

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rd4g-h1j9-23cb

url VCID-sg4r-hncm-dqcq

vulnerability_id VCID-sg4r-hncm-dqcq

summary

Cross-site Scripting
A cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13666

reference_id

reference_type

scores

value	0.00509
scoring_system	epss
scoring_elements	0.66703
published_at	2026-06-04T12:55:00Z

value	0.00509
scoring_system	epss
scoring_elements	0.66744
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13666

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml

reference_url

https://www.drupal.org/sa-core-2020-007

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2020-007

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-13666

reference_id

CVE-2020-13666

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13666

reference_url

https://github.com/advisories/GHSA-8jj2-x2gc-ggm7

reference_id

GHSA-8jj2-x2gc-ggm7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8jj2-x2gc-ggm7

fixed_packages

url pkg:composer/drupal/core@9.0.6

purl pkg:composer/drupal/core@9.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5jy9-mhbb-nuh7

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-9dfs-rpqy-6kfa

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-uq9s-79g7-rqh6

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6

aliases CVE-2020-13666, GHSA-8jj2-x2gc-ggm7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sg4r-hncm-dqcq

url VCID-t89y-c9hq-9bhk

vulnerability_id VCID-t89y-c9hq-9bhk

summary

Drupal core Denial of Service vulnerability
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.

references

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/2f76ac716ca8019bc60579fdfc8aa6cd65d57dff

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/2f76ac716ca8019bc60579fdfc8aa6cd65d57dff

reference_url

https://github.com/drupal/core/commit/5e606b560ac4ecb08135f12b6165bbe0348346a0

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/5e606b560ac4ecb08135f12b6165bbe0348346a0

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2024-01-17.yaml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2024-01-17.yaml

reference_url

https://www.drupal.org/sa-core-2024-001

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2024-001

reference_url

https://github.com/advisories/GHSA-6ccv-8fgf-cjpw

reference_id

GHSA-6ccv-8fgf-cjpw

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6ccv-8fgf-cjpw

fixed_packages

url pkg:composer/drupal/core@10.1.8

purl pkg:composer/drupal/core@10.1.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-jyz4-ymrp-pka7

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.1.8

url pkg:composer/drupal/core@10.2.2

purl pkg:composer/drupal/core@10.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-jyz4-ymrp-pka7

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.2

aliases GHSA-6ccv-8fgf-cjpw, GMS-2024-214

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t89y-c9hq-9bhk

url VCID-tpzm-u3qp-akc8

vulnerability_id VCID-tpzm-u3qp-akc8

summary multiple issues

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13672

reference_id

reference_type

scores

value	0.00555
scoring_system	epss
scoring_elements	0.6851
published_at	2026-06-05T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68469
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13672

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2021-002

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2021-002

reference_url

reference_id

AVG-1463

reference_type

scores

value	Critical
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13672

reference_url

reference_id

CVE-2020-13672

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13672

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml

reference_id

CVE-2020-13672.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml

reference_id

CVE-2020-13672.YAML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml

reference_url

https://github.com/advisories/GHSA-3m36-mjwj-352c

reference_id

GHSA-3m36-mjwj-352c

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3m36-mjwj-352c

fixed_packages

url pkg:composer/drupal/core@9.0.12

purl pkg:composer/drupal/core@9.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.12

url pkg:composer/drupal/core@9.1.7

purl pkg:composer/drupal/core@9.1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-2fas-m6vh-myhc

vulnerability	VCID-2t34-82p3-73c3

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-7v89-2sss-hfaz

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-dav9-pgdh-8yey

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-pzp5-2bpz-jfe2

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.7

aliases CVE-2020-13672, GHSA-3m36-mjwj-352c

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tpzm-u3qp-akc8

url VCID-uq9s-79g7-rqh6

vulnerability_id VCID-uq9s-79g7-rqh6

summary

Drupal core Arbitrary PHP code execution
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
CVE-2020-28948
CVE-2020-28949

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

references

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2020-11-25.yaml

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2020-11-25.yaml

reference_url

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-gxxj-g9v8-w28p

reference_url

reference_id

GHSA-gxxj-g9v8-w28p

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gxxj-g9v8-w28p

fixed_packages

url pkg:composer/drupal/core@9.0.9

purl pkg:composer/drupal/core@9.0.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.9

aliases GHSA-gxxj-g9v8-w28p

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uq9s-79g7-rqh6

url VCID-wsv7-je8g-sqet

vulnerability_id VCID-wsv7-je8g-sqet

summary

Drupal core Unrestricted Upload of File with Dangerous Type
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13671

reference_id

reference_type

scores

value	0.04504
scoring_system	epss
scoring_elements	0.89338
published_at	2026-06-05T12:55:00Z

value	0.04504
scoring_system	epss
scoring_elements	0.8932
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13671

reference_url

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_url

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671

reference_url

https://www.drupal.org/sa-core-2020-012

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/

url

https://www.drupal.org/sa-core-2020-012

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

reference_id

5KSFM672XW3X6BR7TVKRD63SLZGKK437

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-13671

reference_id

CVE-2020-13671

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-13671

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml

reference_id

CVE-2020-13671.YAML

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml

reference_id

CVE-2020-13671.YAML

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml

reference_url	https://github.com/advisories/GHSA-68jc-v27h-vhmw
reference_id	GHSA-68jc-v27h-vhmw
reference_type
scores
url	https://github.com/advisories/GHSA-68jc-v27h-vhmw

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

reference_id

KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Attend
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

reference_url	https://usn.ubuntu.com/6981-1/
reference_id	USN-6981-1
reference_type
scores
url	https://usn.ubuntu.com/6981-1/

reference_url	https://usn.ubuntu.com/6981-2/
reference_id	USN-6981-2
reference_type
scores
url	https://usn.ubuntu.com/6981-2/

fixed_packages

url pkg:composer/drupal/core@9.0.8

purl pkg:composer/drupal/core@9.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-4p4c-7rdc-37fa

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-5jy9-mhbb-nuh7

vulnerability	VCID-67da-qxh5-aydx

vulnerability	VCID-6x4v-da7x-uyhh

vulnerability	VCID-9dfs-rpqy-6kfa

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-ard5-3cjv-1beu

vulnerability	VCID-b266-wste-eqh6

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-egtv-y9w1-skgr

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-hkch-a5yn-jyg1

vulnerability	VCID-j7bj-atys-qfg3

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-qwge-qrwn-1faj

vulnerability	VCID-rd4g-h1j9-23cb

vulnerability	VCID-t89y-c9hq-9bhk

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-uq9s-79g7-rqh6

vulnerability	VCID-xv4d-ped2-4udz

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.8

aliases CVE-2020-13671, GHSA-68jc-v27h-vhmw

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wsv7-je8g-sqet

url VCID-xv4d-ped2-4udz

vulnerability_id VCID-xv4d-ped2-4udz

summary

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.

To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.

This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-55636

reference_id

reference_type

scores

value	0.11473
scoring_system	epss
scoring_elements	0.93753
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-55636

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/17f362b988e6ad6bd5cc1e7e8a7a0804e1536fbc

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/drupal/core/commit/17f362b988e6ad6bd5cc1e7e8a7a0804e1536fbc

reference_url

https://www.drupal.org/sa-core-2024-006

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:21:16Z/

url

https://www.drupal.org/sa-core-2024-006

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-55636

reference_id

CVE-2024-55636

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-55636

reference_url	https://github.com/advisories/GHSA-938f-5r4f-h65v
reference_id	GHSA-938f-5r4f-h65v
reference_type
scores
url	https://github.com/advisories/GHSA-938f-5r4f-h65v

fixed_packages

url pkg:composer/drupal/core@10.2.11

purl pkg:composer/drupal/core@10.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11

url pkg:composer/drupal/core@10.3.9

purl pkg:composer/drupal/core@10.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9

url pkg:composer/drupal/core@11.0.8

purl pkg:composer/drupal/core@11.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2c5f-q858-huaw

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-b8fw-ya7y-h7d8

vulnerability	VCID-deks-ns51-nbdg

vulnerability	VCID-hay8-hvsq-33bm

vulnerability	VCID-kzrs-mrga-nyej

vulnerability	VCID-p54u-b18k-jyft

vulnerability	VCID-yq4q-hydz-vuga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8

aliases CVE-2024-55636, GHSA-938f-5r4f-h65v

risk_score 4.4

exploitability 0.5

weighted_severity 8.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xv4d-ped2-4udz

url VCID-yq4q-hydz-vuga

vulnerability_id VCID-yq4q-hydz-vuga

summary Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13081

reference_id

reference_type

scores

value	0.00135
scoring_system	epss
scoring_elements	0.33091
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13081

reference_url

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

value	4.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.drupal.org/sa-core-2025-006

reference_url

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

value	4.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-19T04:55:20Z/

url

https://www.drupal.org/sa-core-2025-006

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13081

reference_id

CVE-2025-13081

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

value	4.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13081

reference_url

https://github.com/advisories/GHSA-m6vv-vcj8-w8m7

reference_id

GHSA-m6vv-vcj8-w8m7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m6vv-vcj8-w8m7

fixed_packages

url	pkg:composer/drupal/core@10.4.9
purl	pkg:composer/drupal/core@10.4.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9

url	pkg:composer/drupal/core@10.5.6
purl	pkg:composer/drupal/core@10.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6

url	pkg:composer/drupal/core@11.1.9
purl	pkg:composer/drupal/core@11.1.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9

url	pkg:composer/drupal/core@11.2.8
purl	pkg:composer/drupal/core@11.2.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8

aliases CVE-2025-13081, GHSA-m6vv-vcj8-w8m7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yq4q-hydz-vuga

url VCID-zr84-4jzv-2fd3

vulnerability_id VCID-zr84-4jzv-2fd3

summary

Cross-site Scripting
Cross-site scripting vulnerability in Drupal Core allows an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-13688

reference_id

reference_type

scores

value	0.0034
scoring_system	epss
scoring_elements	0.56974
published_at	2026-06-04T12:55:00Z

value	0.0034
scoring_system	epss
scoring_elements	0.57026
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-13688

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url