Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/drupal/core@9.4.4
Typecomposer
Namespacedrupal
Namecore
Version9.4.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.4.9
Latest_non_vulnerable_version11.2.8
Affected_by_vulnerabilities
0
url VCID-16ns-uqh5-d3gh
vulnerability_id VCID-16ns-uqh5-d3gh
summary 
Generation of Error Message Containing Sensitive Information
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-5256
reference_id
reference_type
scores
0
value 0.01295
scoring_system epss
scoring_elements 0.79666
published_at 2026-04-04T12:55:00Z
1
value 0.01295
scoring_system epss
scoring_elements 0.79716
published_at 2026-04-18T12:55:00Z
2
value 0.01295
scoring_system epss
scoring_elements 0.79715
published_at 2026-04-16T12:55:00Z
3
value 0.01295
scoring_system epss
scoring_elements 0.79687
published_at 2026-04-13T12:55:00Z
4
value 0.01295
scoring_system epss
scoring_elements 0.79693
published_at 2026-04-12T12:55:00Z
5
value 0.01295
scoring_system epss
scoring_elements 0.79709
published_at 2026-04-11T12:55:00Z
6
value 0.01295
scoring_system epss
scoring_elements 0.79652
published_at 2026-04-07T12:55:00Z
7
value 0.01295
scoring_system epss
scoring_elements 0.79644
published_at 2026-04-02T12:55:00Z
8
value 0.01295
scoring_system epss
scoring_elements 0.79689
published_at 2026-04-09T12:55:00Z
9
value 0.01295
scoring_system epss
scoring_elements 0.79681
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-5256
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742
3
reference_url https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc
4
reference_url https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24
5
reference_url https://www.drupal.org/sa-core-2023-006
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T18:22:43Z/
url https://www.drupal.org/sa-core-2023-006
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5256
reference_id CVE-2023-5256
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-5256
7
reference_url https://github.com/advisories/GHSA-rjqg-3h9m-fx5x
reference_id GHSA-rjqg-3h9m-fx5x
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rjqg-3h9m-fx5x
fixed_packages
0
url pkg:composer/drupal/core@9.5.11
purl pkg:composer/drupal/core@9.5.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-jctf-yffu-hbag
8
vulnerability VCID-kam1-84p4-qych
9
vulnerability VCID-q4qx-7s1y-q3hc
10
vulnerability VCID-rdgr-yuu7-xkey
11
vulnerability VCID-syrg-ckq7-cbd6
12
vulnerability VCID-u4w3-usvb-jyf6
13
vulnerability VCID-vevm-4sfk-f7gq
14
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.11
1
url pkg:composer/drupal/core@10.0.11
purl pkg:composer/drupal/core@10.0.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-jctf-yffu-hbag
8
vulnerability VCID-kam1-84p4-qych
9
vulnerability VCID-q4qx-7s1y-q3hc
10
vulnerability VCID-rdgr-yuu7-xkey
11
vulnerability VCID-syrg-ckq7-cbd6
12
vulnerability VCID-u2d4-5g3d-zqbt
13
vulnerability VCID-u4w3-usvb-jyf6
14
vulnerability VCID-vevm-4sfk-f7gq
15
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.11
2
url pkg:composer/drupal/core@10.1.4
purl pkg:composer/drupal/core@10.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-727c-e81u-uyf2
3
vulnerability VCID-ed6y-c9tz-mbds
4
vulnerability VCID-g33x-1paw-7udm
5
vulnerability VCID-hgb1-xrne-e7c8
6
vulnerability VCID-hwnd-nuv7-jqbh
7
vulnerability VCID-j21d-w3g7-cbcg
8
vulnerability VCID-jctf-yffu-hbag
9
vulnerability VCID-kam1-84p4-qych
10
vulnerability VCID-q4qx-7s1y-q3hc
11
vulnerability VCID-rdgr-yuu7-xkey
12
vulnerability VCID-syrg-ckq7-cbd6
13
vulnerability VCID-u2d4-5g3d-zqbt
14
vulnerability VCID-u4w3-usvb-jyf6
15
vulnerability VCID-vevm-4sfk-f7gq
16
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.1.4
aliases CVE-2023-5256, GHSA-rjqg-3h9m-fx5x
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-16ns-uqh5-d3gh
1
url VCID-1nf6-3q5b-gqfm
vulnerability_id VCID-1nf6-3q5b-gqfm
summary 
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.

To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.

This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-55636
reference_id
reference_type
scores
0
value 0.08785
scoring_system epss
scoring_elements 0.92495
published_at 2026-04-04T12:55:00Z
1
value 0.08785
scoring_system epss
scoring_elements 0.92531
published_at 2026-04-18T12:55:00Z
2
value 0.08785
scoring_system epss
scoring_elements 0.92532
published_at 2026-04-16T12:55:00Z
3
value 0.08785
scoring_system epss
scoring_elements 0.92522
published_at 2026-04-12T12:55:00Z
4
value 0.08785
scoring_system epss
scoring_elements 0.92521
published_at 2026-04-13T12:55:00Z
5
value 0.08785
scoring_system epss
scoring_elements 0.92514
published_at 2026-04-09T12:55:00Z
6
value 0.08785
scoring_system epss
scoring_elements 0.9251
published_at 2026-04-08T12:55:00Z
7
value 0.08785
scoring_system epss
scoring_elements 0.92498
published_at 2026-04-07T12:55:00Z
8
value 0.08785
scoring_system epss
scoring_elements 0.92486
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-55636
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://github.com/drupal/core/commit/17f362b988e6ad6bd5cc1e7e8a7a0804e1536fbc
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/17f362b988e6ad6bd5cc1e7e8a7a0804e1536fbc
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-55636
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-55636
4
reference_url https://www.drupal.org/sa-core-2024-006
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:21:16Z/
url https://www.drupal.org/sa-core-2024-006
5
reference_url https://github.com/advisories/GHSA-938f-5r4f-h65v
reference_id GHSA-938f-5r4f-h65v
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-938f-5r4f-h65v
fixed_packages
0
url pkg:composer/drupal/core@10.2.11
purl pkg:composer/drupal/core@10.2.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11
1
url pkg:composer/drupal/core@10.3.9
purl pkg:composer/drupal/core@10.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9
2
url pkg:composer/drupal/core@11.0.8
purl pkg:composer/drupal/core@11.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8
aliases CVE-2024-55636, GHSA-938f-5r4f-h65v
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1nf6-3q5b-gqfm
2
url VCID-2s8m-ujzb-skd1
vulnerability_id VCID-2s8m-ujzb-skd1
summary 
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.

This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-55637
reference_id
reference_type
scores
0
value 0.07606
scoring_system epss
scoring_elements 0.9183
published_at 2026-04-04T12:55:00Z
1
value 0.07606
scoring_system epss
scoring_elements 0.91872
published_at 2026-04-18T12:55:00Z
2
value 0.07606
scoring_system epss
scoring_elements 0.91876
published_at 2026-04-16T12:55:00Z
3
value 0.07606
scoring_system epss
scoring_elements 0.9186
published_at 2026-04-12T12:55:00Z
4
value 0.07606
scoring_system epss
scoring_elements 0.91856
published_at 2026-04-13T12:55:00Z
5
value 0.07606
scoring_system epss
scoring_elements 0.91851
published_at 2026-04-08T12:55:00Z
6
value 0.07606
scoring_system epss
scoring_elements 0.91838
published_at 2026-04-07T12:55:00Z
7
value 0.07606
scoring_system epss
scoring_elements 0.91823
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-55637
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://github.com/drupal/core/commit/1664030d399c73b4144f410f2ccc68c66a947f8d
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/1664030d399c73b4144f410f2ccc68c66a947f8d
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-55637
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-55637
4
reference_url https://www.drupal.org/sa-core-2024-007
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:20:25Z/
url https://www.drupal.org/sa-core-2024-007
5
reference_url https://github.com/advisories/GHSA-w6rx-9g2x-mg5g
reference_id GHSA-w6rx-9g2x-mg5g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w6rx-9g2x-mg5g
fixed_packages
0
url pkg:composer/drupal/core@10.2.11
purl pkg:composer/drupal/core@10.2.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11
1
url pkg:composer/drupal/core@10.3.9
purl pkg:composer/drupal/core@10.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9
2
url pkg:composer/drupal/core@11.0.8
purl pkg:composer/drupal/core@11.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8
aliases CVE-2024-55637, GHSA-w6rx-9g2x-mg5g
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2s8m-ujzb-skd1
3
url VCID-bk92-66re-dkc5
vulnerability_id VCID-bk92-66re-dkc5
summary 
Access bypass in Drupal core
The file download facility does not sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-31250
reference_id
reference_type
scores
0
value 0.00257
scoring_system epss
scoring_elements 0.49107
published_at 2026-04-18T12:55:00Z
1
value 0.00257
scoring_system epss
scoring_elements 0.49072
published_at 2026-04-08T12:55:00Z
2
value 0.00257
scoring_system epss
scoring_elements 0.49069
published_at 2026-04-09T12:55:00Z
3
value 0.00257
scoring_system epss
scoring_elements 0.49085
published_at 2026-04-11T12:55:00Z
4
value 0.00257
scoring_system epss
scoring_elements 0.49058
published_at 2026-04-12T12:55:00Z
5
value 0.00257
scoring_system epss
scoring_elements 0.49064
published_at 2026-04-13T12:55:00Z
6
value 0.00257
scoring_system epss
scoring_elements 0.49109
published_at 2026-04-16T12:55:00Z
7
value 0.00257
scoring_system epss
scoring_elements 0.49037
published_at 2026-04-02T12:55:00Z
8
value 0.00257
scoring_system epss
scoring_elements 0.49065
published_at 2026-04-04T12:55:00Z
9
value 0.00257
scoring_system epss
scoring_elements 0.49018
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-31250
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://www.drupal.org/sa-core-2023-005
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T16:49:01Z/
url https://www.drupal.org/sa-core-2023-005
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-31250
reference_id CVE-2023-31250
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-31250
4
reference_url https://github.com/advisories/GHSA-8849-cv9f-vccm
reference_id GHSA-8849-cv9f-vccm
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8849-cv9f-vccm
fixed_packages
0
url pkg:composer/drupal/core@9.4.14
purl pkg:composer/drupal/core@9.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16ns-uqh5-d3gh
1
vulnerability VCID-1nf6-3q5b-gqfm
2
vulnerability VCID-2s8m-ujzb-skd1
3
vulnerability VCID-ed6y-c9tz-mbds
4
vulnerability VCID-g33x-1paw-7udm
5
vulnerability VCID-hgb1-xrne-e7c8
6
vulnerability VCID-hwnd-nuv7-jqbh
7
vulnerability VCID-j21d-w3g7-cbcg
8
vulnerability VCID-jctf-yffu-hbag
9
vulnerability VCID-kam1-84p4-qych
10
vulnerability VCID-q4qx-7s1y-q3hc
11
vulnerability VCID-rdgr-yuu7-xkey
12
vulnerability VCID-syrg-ckq7-cbd6
13
vulnerability VCID-u4w3-usvb-jyf6
14
vulnerability VCID-vevm-4sfk-f7gq
15
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.14
1
url pkg:composer/drupal/core@9.5.8
purl pkg:composer/drupal/core@9.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16ns-uqh5-d3gh
1
vulnerability VCID-1nf6-3q5b-gqfm
2
vulnerability VCID-2s8m-ujzb-skd1
3
vulnerability VCID-ed6y-c9tz-mbds
4
vulnerability VCID-g33x-1paw-7udm
5
vulnerability VCID-hgb1-xrne-e7c8
6
vulnerability VCID-hwnd-nuv7-jqbh
7
vulnerability VCID-j21d-w3g7-cbcg
8
vulnerability VCID-jctf-yffu-hbag
9
vulnerability VCID-kam1-84p4-qych
10
vulnerability VCID-q4qx-7s1y-q3hc
11
vulnerability VCID-rdgr-yuu7-xkey
12
vulnerability VCID-syrg-ckq7-cbd6
13
vulnerability VCID-u4w3-usvb-jyf6
14
vulnerability VCID-vevm-4sfk-f7gq
15
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.8
2
url pkg:composer/drupal/core@10.0.8
purl pkg:composer/drupal/core@10.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16ns-uqh5-d3gh
1
vulnerability VCID-1nf6-3q5b-gqfm
2
vulnerability VCID-2s8m-ujzb-skd1
3
vulnerability VCID-ed6y-c9tz-mbds
4
vulnerability VCID-g33x-1paw-7udm
5
vulnerability VCID-hgb1-xrne-e7c8
6
vulnerability VCID-hwnd-nuv7-jqbh
7
vulnerability VCID-j21d-w3g7-cbcg
8
vulnerability VCID-jctf-yffu-hbag
9
vulnerability VCID-kam1-84p4-qych
10
vulnerability VCID-q4qx-7s1y-q3hc
11
vulnerability VCID-rdgr-yuu7-xkey
12
vulnerability VCID-syrg-ckq7-cbd6
13
vulnerability VCID-u2d4-5g3d-zqbt
14
vulnerability VCID-u4w3-usvb-jyf6
15
vulnerability VCID-vevm-4sfk-f7gq
16
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.8
aliases CVE-2023-31250, GHSA-8849-cv9f-vccm
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bk92-66re-dkc5
4
url VCID-ed6y-c9tz-mbds
vulnerability_id VCID-ed6y-c9tz-mbds
summary 
Drupal Core Cross-Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-31675
reference_id
reference_type
scores
0
value 0.00232
scoring_system epss
scoring_elements 0.45972
published_at 2026-04-09T12:55:00Z
1
value 0.00232
scoring_system epss
scoring_elements 0.46026
published_at 2026-04-18T12:55:00Z
2
value 0.00232
scoring_system epss
scoring_elements 0.4603
published_at 2026-04-16T12:55:00Z
3
value 0.00232
scoring_system epss
scoring_elements 0.45968
published_at 2026-04-12T12:55:00Z
4
value 0.00232
scoring_system epss
scoring_elements 0.45996
published_at 2026-04-11T12:55:00Z
5
value 0.00232
scoring_system epss
scoring_elements 0.45975
published_at 2026-04-13T12:55:00Z
6
value 0.00232
scoring_system epss
scoring_elements 0.45919
published_at 2026-04-07T12:55:00Z
7
value 0.00272
scoring_system epss
scoring_elements 0.50622
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-31675
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-31675
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-31675
3
reference_url https://www.drupal.org/sa-core-2025-004
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T18:21:31Z/
url https://www.drupal.org/sa-core-2025-004
4
reference_url https://www.herodevs.com/vulnerability-directory/cve-2025-31675
reference_id cve-2025-31675
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T18:21:31Z/
url https://www.herodevs.com/vulnerability-directory/cve-2025-31675
5
reference_url https://github.com/advisories/GHSA-m4wj-hhwj-47qp
reference_id GHSA-m4wj-hhwj-47qp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m4wj-hhwj-47qp
6
reference_url https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004
reference_id link-moderately-critical-cross-site-scripting-sa-core-2025-004
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T18:21:31Z/
url https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004
fixed_packages
0
url pkg:composer/drupal/core@10.3.14
purl pkg:composer/drupal/core@10.3.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g33x-1paw-7udm
1
vulnerability VCID-hgb1-xrne-e7c8
2
vulnerability VCID-hwnd-nuv7-jqbh
3
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.14
1
url pkg:composer/drupal/core@10.4.5
purl pkg:composer/drupal/core@10.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g33x-1paw-7udm
1
vulnerability VCID-hgb1-xrne-e7c8
2
vulnerability VCID-hwnd-nuv7-jqbh
3
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.5
2
url pkg:composer/drupal/core@11.0.13
purl pkg:composer/drupal/core@11.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g33x-1paw-7udm
1
vulnerability VCID-hgb1-xrne-e7c8
2
vulnerability VCID-hwnd-nuv7-jqbh
3
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.13
3
url pkg:composer/drupal/core@11.1.5
purl pkg:composer/drupal/core@11.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g33x-1paw-7udm
1
vulnerability VCID-hgb1-xrne-e7c8
2
vulnerability VCID-hwnd-nuv7-jqbh
3
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.5
aliases CVE-2025-31675, GHSA-m4wj-hhwj-47qp
risk_score 2.5
exploitability 0.5
weighted_severity 4.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ed6y-c9tz-mbds
5
url VCID-g33x-1paw-7udm
vulnerability_id VCID-g33x-1paw-7udm
summary Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-13081
reference_id
reference_type
scores
0
value 0.00103
scoring_system epss
scoring_elements 0.28256
published_at 2026-04-18T12:55:00Z
1
value 0.0011
scoring_system epss
scoring_elements 0.29511
published_at 2026-04-11T12:55:00Z
2
value 0.0011
scoring_system epss
scoring_elements 0.29435
published_at 2026-04-16T12:55:00Z
3
value 0.0011
scoring_system epss
scoring_elements 0.29415
published_at 2026-04-13T12:55:00Z
4
value 0.0011
scoring_system epss
scoring_elements 0.29467
published_at 2026-04-12T12:55:00Z
5
value 0.00199
scoring_system epss
scoring_elements 0.41955
published_at 2026-04-02T12:55:00Z
6
value 0.00199
scoring_system epss
scoring_elements 0.41983
published_at 2026-04-04T12:55:00Z
7
value 0.00199
scoring_system epss
scoring_elements 0.41909
published_at 2026-04-07T12:55:00Z
8
value 0.00199
scoring_system epss
scoring_elements 0.41959
published_at 2026-04-08T12:55:00Z
9
value 0.00199
scoring_system epss
scoring_elements 0.41971
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-13081
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://www.drupal.org/sa-core-2025-006
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-19T04:55:20Z/
url https://www.drupal.org/sa-core-2025-006
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-13081
reference_id CVE-2025-13081
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
1
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-13081
4
reference_url https://github.com/advisories/GHSA-m6vv-vcj8-w8m7
reference_id GHSA-m6vv-vcj8-w8m7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m6vv-vcj8-w8m7
fixed_packages
0
url pkg:composer/drupal/core@10.4.9
purl pkg:composer/drupal/core@10.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9
1
url pkg:composer/drupal/core@10.5.6
purl pkg:composer/drupal/core@10.5.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6
2
url pkg:composer/drupal/core@11.1.9
purl pkg:composer/drupal/core@11.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9
3
url pkg:composer/drupal/core@11.2.8
purl pkg:composer/drupal/core@11.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8
aliases CVE-2025-13081, GHSA-m6vv-vcj8-w8m7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g33x-1paw-7udm
6
url VCID-hgb1-xrne-e7c8
vulnerability_id VCID-hgb1-xrne-e7c8
summary Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-13080
reference_id
reference_type
scores
0
value 0.00078
scoring_system epss
scoring_elements 0.23321
published_at 2026-04-18T12:55:00Z
1
value 0.00082
scoring_system epss
scoring_elements 0.24025
published_at 2026-04-12T12:55:00Z
2
value 0.00082
scoring_system epss
scoring_elements 0.23978
published_at 2026-04-16T12:55:00Z
3
value 0.00082
scoring_system epss
scoring_elements 0.24067
published_at 2026-04-11T12:55:00Z
4
value 0.00082
scoring_system epss
scoring_elements 0.23969
published_at 2026-04-13T12:55:00Z
5
value 0.00102
scoring_system epss
scoring_elements 0.28086
published_at 2026-04-08T12:55:00Z
6
value 0.00102
scoring_system epss
scoring_elements 0.28224
published_at 2026-04-04T12:55:00Z
7
value 0.00102
scoring_system epss
scoring_elements 0.28019
published_at 2026-04-07T12:55:00Z
8
value 0.00102
scoring_system epss
scoring_elements 0.28181
published_at 2026-04-02T12:55:00Z
9
value 0.00102
scoring_system epss
scoring_elements 0.28129
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-13080
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://www.drupal.org/sa-core-2025-005
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-18T20:35:13Z/
url https://www.drupal.org/sa-core-2025-005
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-13080
reference_id CVE-2025-13080
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-13080
4
reference_url https://github.com/advisories/GHSA-83v7-c2cf-p9c2
reference_id GHSA-83v7-c2cf-p9c2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-83v7-c2cf-p9c2
fixed_packages
0
url pkg:composer/drupal/core@10.4.9
purl pkg:composer/drupal/core@10.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9
1
url pkg:composer/drupal/core@10.5.6
purl pkg:composer/drupal/core@10.5.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6
2
url pkg:composer/drupal/core@11.1.9
purl pkg:composer/drupal/core@11.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9
3
url pkg:composer/drupal/core@11.2.8
purl pkg:composer/drupal/core@11.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8
aliases CVE-2025-13080, GHSA-83v7-c2cf-p9c2
risk_score 1.9
exploitability 0.5
weighted_severity 3.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hgb1-xrne-e7c8
7
url VCID-hwnd-nuv7-jqbh
vulnerability_id VCID-hwnd-nuv7-jqbh
summary User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-13082
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.10973
published_at 2026-04-18T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.1163
published_at 2026-04-12T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.11465
published_at 2026-04-16T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.11666
published_at 2026-04-11T12:55:00Z
4
value 0.00039
scoring_system epss
scoring_elements 0.11603
published_at 2026-04-13T12:55:00Z
5
value 0.00073
scoring_system epss
scoring_elements 0.22208
published_at 2026-04-08T12:55:00Z
6
value 0.00073
scoring_system epss
scoring_elements 0.2234
published_at 2026-04-04T12:55:00Z
7
value 0.00073
scoring_system epss
scoring_elements 0.22125
published_at 2026-04-07T12:55:00Z
8
value 0.00073
scoring_system epss
scoring_elements 0.22297
published_at 2026-04-02T12:55:00Z
9
value 0.00073
scoring_system epss
scoring_elements 0.22263
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-13082
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://www.drupal.org/sa-core-2025-007
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-18T20:32:40Z/
url https://www.drupal.org/sa-core-2025-007
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-13082
reference_id CVE-2025-13082
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-13082
4
reference_url https://github.com/advisories/GHSA-h89p-5896-f4q8
reference_id GHSA-h89p-5896-f4q8
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h89p-5896-f4q8
fixed_packages
0
url pkg:composer/drupal/core@10.4.9
purl pkg:composer/drupal/core@10.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9
1
url pkg:composer/drupal/core@10.5.6
purl pkg:composer/drupal/core@10.5.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6
2
url pkg:composer/drupal/core@11.1.9
purl pkg:composer/drupal/core@11.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9
3
url pkg:composer/drupal/core@11.2.8
purl pkg:composer/drupal/core@11.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8
aliases CVE-2025-13082, GHSA-h89p-5896-f4q8
risk_score 1.5
exploitability 0.5
weighted_severity 3.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hwnd-nuv7-jqbh
8
url VCID-j21d-w3g7-cbcg
vulnerability_id VCID-j21d-w3g7-cbcg
summary 
Drupal Core Vulnerable to Forceful Browsing
Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-31673
reference_id
reference_type
scores
0
value 0.00177
scoring_system epss
scoring_elements 0.39223
published_at 2026-04-07T12:55:00Z
1
value 0.00177
scoring_system epss
scoring_elements 0.39273
published_at 2026-04-18T12:55:00Z
2
value 0.00177
scoring_system epss
scoring_elements 0.39302
published_at 2026-04-16T12:55:00Z
3
value 0.00177
scoring_system epss
scoring_elements 0.39249
published_at 2026-04-13T12:55:00Z
4
value 0.00177
scoring_system epss
scoring_elements 0.39281
published_at 2026-04-02T12:55:00Z
5
value 0.00177
scoring_system epss
scoring_elements 0.39278
published_at 2026-04-08T12:55:00Z
6
value 0.00177
scoring_system epss
scoring_elements 0.39304
published_at 2026-04-04T12:55:00Z
7
value 0.00177
scoring_system epss
scoring_elements 0.39268
published_at 2026-04-12T12:55:00Z
8
value 0.00177
scoring_system epss
scoring_elements 0.39306
published_at 2026-04-11T12:55:00Z
9
value 0.00177
scoring_system epss
scoring_elements 0.39294
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-31673
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-31673
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-31673
3
reference_url https://www.drupal.org/sa-core-2025-002
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:47:04Z/
url https://www.drupal.org/sa-core-2025-002
4
reference_url https://github.com/advisories/GHSA-wpp8-fjgf-pwc7
reference_id GHSA-wpp8-fjgf-pwc7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wpp8-fjgf-pwc7
fixed_packages
0
url pkg:composer/drupal/core@10.3.13
purl pkg:composer/drupal/core@10.3.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.13
1
url pkg:composer/drupal/core@10.4.3
purl pkg:composer/drupal/core@10.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.3
2
url pkg:composer/drupal/core@11.0.12
purl pkg:composer/drupal/core@11.0.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.12
3
url pkg:composer/drupal/core@11.1.3
purl pkg:composer/drupal/core@11.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.3
aliases CVE-2025-31673, GHSA-wpp8-fjgf-pwc7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j21d-w3g7-cbcg
9
url VCID-jctf-yffu-hbag
vulnerability_id VCID-jctf-yffu-hbag
summary 
Drupal core Denial of Service vulnerability
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.
references
0
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
1
reference_url https://github.com/drupal/core/commit/2f76ac716ca8019bc60579fdfc8aa6cd65d57dff
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/2f76ac716ca8019bc60579fdfc8aa6cd65d57dff
2
reference_url https://github.com/drupal/core/commit/5e606b560ac4ecb08135f12b6165bbe0348346a0
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/5e606b560ac4ecb08135f12b6165bbe0348346a0
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2024-01-17.yaml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2024-01-17.yaml
4
reference_url https://www.drupal.org/sa-core-2024-001
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/sa-core-2024-001
5
reference_url https://github.com/advisories/GHSA-6ccv-8fgf-cjpw
reference_id GHSA-6ccv-8fgf-cjpw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6ccv-8fgf-cjpw
fixed_packages
0
url pkg:composer/drupal/core@10.1.8
purl pkg:composer/drupal/core@10.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-kam1-84p4-qych
8
vulnerability VCID-q4qx-7s1y-q3hc
9
vulnerability VCID-rdgr-yuu7-xkey
10
vulnerability VCID-syrg-ckq7-cbd6
11
vulnerability VCID-u2d4-5g3d-zqbt
12
vulnerability VCID-u4w3-usvb-jyf6
13
vulnerability VCID-vevm-4sfk-f7gq
14
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.1.8
1
url pkg:composer/drupal/core@10.2.2
purl pkg:composer/drupal/core@10.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-kam1-84p4-qych
8
vulnerability VCID-q4qx-7s1y-q3hc
9
vulnerability VCID-rdgr-yuu7-xkey
10
vulnerability VCID-syrg-ckq7-cbd6
11
vulnerability VCID-u2d4-5g3d-zqbt
12
vulnerability VCID-u4w3-usvb-jyf6
13
vulnerability VCID-vevm-4sfk-f7gq
14
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.2
aliases GHSA-6ccv-8fgf-cjpw, GMS-2024-214
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jctf-yffu-hbag
10
url VCID-kam1-84p4-qych
vulnerability_id VCID-kam1-84p4-qych
summary 
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-31674
reference_id
reference_type
scores
0
value 0.00845
scoring_system epss
scoring_elements 0.74828
published_at 2026-04-18T12:55:00Z
1
value 0.00845
scoring_system epss
scoring_elements 0.74743
published_at 2026-04-02T12:55:00Z
2
value 0.00845
scoring_system epss
scoring_elements 0.7477
published_at 2026-04-04T12:55:00Z
3
value 0.00845
scoring_system epss
scoring_elements 0.74744
published_at 2026-04-07T12:55:00Z
4
value 0.00845
scoring_system epss
scoring_elements 0.74777
published_at 2026-04-08T12:55:00Z
5
value 0.00845
scoring_system epss
scoring_elements 0.74791
published_at 2026-04-09T12:55:00Z
6
value 0.00845
scoring_system epss
scoring_elements 0.74815
published_at 2026-04-11T12:55:00Z
7
value 0.00845
scoring_system epss
scoring_elements 0.74794
published_at 2026-04-12T12:55:00Z
8
value 0.00845
scoring_system epss
scoring_elements 0.74785
published_at 2026-04-13T12:55:00Z
9
value 0.00845
scoring_system epss
scoring_elements 0.7482
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-31674
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-31674
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-31674
3
reference_url https://www.drupal.org/sa-core-2025-003
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 4.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-03T17:16:59Z/
url https://www.drupal.org/sa-core-2025-003
4
reference_url https://github.com/advisories/GHSA-2qph-q8xw-gv7q
reference_id GHSA-2qph-q8xw-gv7q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2qph-q8xw-gv7q
fixed_packages
0
url pkg:composer/drupal/core@10.3.13
purl pkg:composer/drupal/core@10.3.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.13
1
url pkg:composer/drupal/core@10.4.3
purl pkg:composer/drupal/core@10.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.3
2
url pkg:composer/drupal/core@11.0.12
purl pkg:composer/drupal/core@11.0.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.12
3
url pkg:composer/drupal/core@11.1.3
purl pkg:composer/drupal/core@11.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.3
aliases CVE-2025-31674, GHSA-2qph-q8xw-gv7q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kam1-84p4-qych
11
url VCID-q4qx-7s1y-q3hc
vulnerability_id VCID-q4qx-7s1y-q3hc
summary 
Drupal Core Cross-Site Scripting (XSS)
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-12393
reference_id
reference_type
scores
0
value 0.01889
scoring_system epss
scoring_elements 0.83165
published_at 2026-04-08T12:55:00Z
1
value 0.01889
scoring_system epss
scoring_elements 0.83217
published_at 2026-04-18T12:55:00Z
2
value 0.01889
scoring_system epss
scoring_elements 0.83216
published_at 2026-04-16T12:55:00Z
3
value 0.01889
scoring_system epss
scoring_elements 0.83179
published_at 2026-04-13T12:55:00Z
4
value 0.01889
scoring_system epss
scoring_elements 0.83183
published_at 2026-04-12T12:55:00Z
5
value 0.01889
scoring_system epss
scoring_elements 0.83189
published_at 2026-04-11T12:55:00Z
6
value 0.01889
scoring_system epss
scoring_elements 0.83173
published_at 2026-04-09T12:55:00Z
7
value 0.01889
scoring_system epss
scoring_elements 0.83129
published_at 2026-04-02T12:55:00Z
8
value 0.01889
scoring_system epss
scoring_elements 0.83142
published_at 2026-04-04T12:55:00Z
9
value 0.01889
scoring_system epss
scoring_elements 0.83141
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-12393
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://github.com/drupal/core/commit/276ac67ad891605052e0a24fb36ece9caaa511e8
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/276ac67ad891605052e0a24fb36ece9caaa511e8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-12393
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-12393
4
reference_url https://www.drupal.org/sa-core-2024-003
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:36:16Z/
url https://www.drupal.org/sa-core-2024-003
5
reference_url https://github.com/advisories/GHSA-8mvq-8h2v-j9vf
reference_id GHSA-8mvq-8h2v-j9vf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8mvq-8h2v-j9vf
fixed_packages
0
url pkg:composer/drupal/core@10.2.11
purl pkg:composer/drupal/core@10.2.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11
1
url pkg:composer/drupal/core@10.3.9
purl pkg:composer/drupal/core@10.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9
2
url pkg:composer/drupal/core@11.0.8
purl pkg:composer/drupal/core@11.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8
aliases CVE-2024-12393, GHSA-8mvq-8h2v-j9vf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q4qx-7s1y-q3hc
12
url VCID-rdgr-yuu7-xkey
vulnerability_id VCID-rdgr-yuu7-xkey
summary 
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. 

This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-55638
reference_id
reference_type
scores
0
value 0.05148
scoring_system epss
scoring_elements 0.89896
published_at 2026-04-18T12:55:00Z
1
value 0.05148
scoring_system epss
scoring_elements 0.89842
published_at 2026-04-02T12:55:00Z
2
value 0.05148
scoring_system epss
scoring_elements 0.89855
published_at 2026-04-04T12:55:00Z
3
value 0.05148
scoring_system epss
scoring_elements 0.89861
published_at 2026-04-07T12:55:00Z
4
value 0.05148
scoring_system epss
scoring_elements 0.89878
published_at 2026-04-08T12:55:00Z
5
value 0.05148
scoring_system epss
scoring_elements 0.89884
published_at 2026-04-09T12:55:00Z
6
value 0.05148
scoring_system epss
scoring_elements 0.8989
published_at 2026-04-11T12:55:00Z
7
value 0.05148
scoring_system epss
scoring_elements 0.89888
published_at 2026-04-12T12:55:00Z
8
value 0.05148
scoring_system epss
scoring_elements 0.89881
published_at 2026-04-13T12:55:00Z
9
value 0.05148
scoring_system epss
scoring_elements 0.89895
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-55638
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-55638
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-55638
3
reference_url https://www.drupal.org/sa-core-2024-008
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:19:33Z/
url https://www.drupal.org/sa-core-2024-008
4
reference_url https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
reference_id GHSA-gvf2-2f4g-jqf4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
fixed_packages
0
url pkg:composer/drupal/core@10.2.11
purl pkg:composer/drupal/core@10.2.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11
1
url pkg:composer/drupal/core@10.3.9
purl pkg:composer/drupal/core@10.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9
aliases CVE-2024-55638, GHSA-gvf2-2f4g-jqf4
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rdgr-yuu7-xkey
13
url VCID-syrg-ckq7-cbd6
vulnerability_id VCID-syrg-ckq7-cbd6
summary Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-13083
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01041
published_at 2026-04-13T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01045
published_at 2026-04-11T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.01035
published_at 2026-04-16T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.0469
published_at 2026-04-07T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.04655
published_at 2026-04-02T12:55:00Z
5
value 0.00018
scoring_system epss
scoring_elements 0.04677
published_at 2026-04-04T12:55:00Z
6
value 0.00018
scoring_system epss
scoring_elements 0.04736
published_at 2026-04-09T12:55:00Z
7
value 0.00018
scoring_system epss
scoring_elements 0.04724
published_at 2026-04-08T12:55:00Z
8
value 9e-05
scoring_system epss
scoring_elements 0.00966
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-13083
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://www.drupal.org/sa-core-2025-008
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-18T20:31:33Z/
url https://www.drupal.org/sa-core-2025-008
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-13083
reference_id CVE-2025-13083
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 1.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-13083
4
reference_url https://github.com/advisories/GHSA-mhpg-hpj5-73r2
reference_id GHSA-mhpg-hpj5-73r2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mhpg-hpj5-73r2
fixed_packages
0
url pkg:composer/drupal/core@10.4.9
purl pkg:composer/drupal/core@10.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9
1
url pkg:composer/drupal/core@10.5.6
purl pkg:composer/drupal/core@10.5.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6
2
url pkg:composer/drupal/core@11.1.9
purl pkg:composer/drupal/core@11.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9
3
url pkg:composer/drupal/core@11.2.8
purl pkg:composer/drupal/core@11.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8
aliases CVE-2025-13083, GHSA-mhpg-hpj5-73r2
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-syrg-ckq7-cbd6
14
url VCID-u4w3-usvb-jyf6
vulnerability_id VCID-u4w3-usvb-jyf6
summary 
Drupal Full Path Disclosure
`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45440
reference_id
reference_type
scores
0
value 0.86443
scoring_system epss
scoring_elements 0.99404
published_at 2026-04-02T12:55:00Z
1
value 0.86443
scoring_system epss
scoring_elements 0.99405
published_at 2026-04-04T12:55:00Z
2
value 0.87227
scoring_system epss
scoring_elements 0.99449
published_at 2026-04-13T12:55:00Z
3
value 0.87227
scoring_system epss
scoring_elements 0.99448
published_at 2026-04-11T12:55:00Z
4
value 0.87227
scoring_system epss
scoring_elements 0.99447
published_at 2026-04-09T12:55:00Z
5
value 0.87227
scoring_system epss
scoring_elements 0.99445
published_at 2026-04-07T12:55:00Z
6
value 0.87227
scoring_system epss
scoring_elements 0.99452
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45440
1
reference_url https://github.com/drupal/drupal
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/drupal
2
reference_url https://github.com/github/advisory-database/pull/4827
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/github/advisory-database/pull/4827
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45440
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45440
4
reference_url https://senscybersecurity.nl/CVE-2024-45440-Explained
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://senscybersecurity.nl/CVE-2024-45440-Explained
5
reference_url https://www.drupal.org/project/drupal/issues/3457781
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/
url https://www.drupal.org/project/drupal/issues/3457781
6
reference_url https://www.drupal.org/project/drupal/releases/10.2.9
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/project/drupal/releases/10.2.9
7
reference_url https://www.drupal.org/project/drupal/releases/10.3.6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/project/drupal/releases/10.3.6
8
reference_url https://www.drupal.org/project/drupal/releases/11.0.5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/project/drupal/releases/11.0.5
9
reference_url https://www.exploit-db.com/exploits/52266
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/52266
10
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py
reference_id CVE-2024-45440
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py
11
reference_url https://senscybersecurity.nl/CVE-2024-45440-Explained/
reference_id CVE-2024-45440-Explained
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/
url https://senscybersecurity.nl/CVE-2024-45440-Explained/
12
reference_url https://github.com/advisories/GHSA-mg8j-w93w-xjgc
reference_id GHSA-mg8j-w93w-xjgc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mg8j-w93w-xjgc
fixed_packages
0
url pkg:composer/drupal/core@10.2.9
purl pkg:composer/drupal/core@10.2.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-kam1-84p4-qych
8
vulnerability VCID-q4qx-7s1y-q3hc
9
vulnerability VCID-rdgr-yuu7-xkey
10
vulnerability VCID-syrg-ckq7-cbd6
11
vulnerability VCID-u2d4-5g3d-zqbt
12
vulnerability VCID-vevm-4sfk-f7gq
13
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.9
1
url pkg:composer/drupal/core@10.3.0-beta1
purl pkg:composer/drupal/core@10.3.0-beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.0-beta1
2
url pkg:composer/drupal/core@10.3.6
purl pkg:composer/drupal/core@10.3.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-kam1-84p4-qych
8
vulnerability VCID-q4qx-7s1y-q3hc
9
vulnerability VCID-rdgr-yuu7-xkey
10
vulnerability VCID-syrg-ckq7-cbd6
11
vulnerability VCID-vevm-4sfk-f7gq
12
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.6
3
url pkg:composer/drupal/core@11.0.0-alpha1
purl pkg:composer/drupal/core@11.0.0-alpha1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.0-alpha1
4
url pkg:composer/drupal/core@11.0.5
purl pkg:composer/drupal/core@11.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nf6-3q5b-gqfm
1
vulnerability VCID-2s8m-ujzb-skd1
2
vulnerability VCID-ed6y-c9tz-mbds
3
vulnerability VCID-g33x-1paw-7udm
4
vulnerability VCID-hgb1-xrne-e7c8
5
vulnerability VCID-hwnd-nuv7-jqbh
6
vulnerability VCID-j21d-w3g7-cbcg
7
vulnerability VCID-kam1-84p4-qych
8
vulnerability VCID-q4qx-7s1y-q3hc
9
vulnerability VCID-syrg-ckq7-cbd6
10
vulnerability VCID-vevm-4sfk-f7gq
11
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.5
aliases CVE-2024-45440, GHSA-mg8j-w93w-xjgc
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u4w3-usvb-jyf6
15
url VCID-ummk-h11z-bkaj
vulnerability_id VCID-ummk-h11z-bkaj
summary 
Twig may load a template outside a configured directory when using the filesystem loader
# Description

When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed).

# Resolution

We fixed validation for such template names.

Even if the 1.x branch is not maintained anymore, a new version has been released.

# Credits

We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39261
reference_id
reference_type
scores
0
value 0.09505
scoring_system epss
scoring_elements 0.92815
published_at 2026-04-02T12:55:00Z
1
value 0.09505
scoring_system epss
scoring_elements 0.92847
published_at 2026-04-18T12:55:00Z
2
value 0.09505
scoring_system epss
scoring_elements 0.92846
published_at 2026-04-16T12:55:00Z
3
value 0.09505
scoring_system epss
scoring_elements 0.92835
published_at 2026-04-13T12:55:00Z
4
value 0.09505
scoring_system epss
scoring_elements 0.92831
published_at 2026-04-09T12:55:00Z
5
value 0.09505
scoring_system epss
scoring_elements 0.92827
published_at 2026-04-08T12:55:00Z
6
value 0.09505
scoring_system epss
scoring_elements 0.92818
published_at 2026-04-07T12:55:00Z
7
value 0.09505
scoring_system epss
scoring_elements 0.9282
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39261
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39261
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39261
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2022-39261.yaml
3
reference_url https://github.com/twigphp/Twig
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig
4
reference_url https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b
5
reference_url https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33
6
reference_url https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.debian.org/debian-lts-announce/2022/10/msg00016.html
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-39261
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-39261
20
reference_url https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader
21
reference_url https://www.debian.org/security/2022/dsa-5248
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://www.debian.org/security/2022/dsa-5248
22
reference_url https://www.drupal.org/sa-core-2022-016
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://www.drupal.org/sa-core-2022-016
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991
reference_id 1020991
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020991
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
reference_id 2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OKRUHPVLIQVFPPJ2UWC3WV3WQO763NR/
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
reference_id AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUVTXMNPSZAHS3DWZEM56V5W4NPVR6L7/
26
reference_url https://github.com/advisories/GHSA-52m2-vc4m-jj33
reference_id GHSA-52m2-vc4m-jj33
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-52m2-vc4m-jj33
27
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
reference_id NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWRFPZSR74SYVJKBTKTMYUK36IJ3SQJP/
28
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
reference_id TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW53TFJ6WWNXMUHOFACKATJTS7NIHVQE/
29
reference_url https://usn.ubuntu.com/5947-1/
reference_id USN-5947-1
reference_type
scores
url https://usn.ubuntu.com/5947-1/
30
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
reference_id WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV5TNNJLGG536TJH6DLCIAAZZIPV2GUD/
31
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
reference_id YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:56Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YU4ZYX62H2NUAKKGUES4RZIM4KMTKZ7F/
fixed_packages
0
url pkg:composer/drupal/core@9.4.7
purl pkg:composer/drupal/core@9.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16ns-uqh5-d3gh
1
vulnerability VCID-1nf6-3q5b-gqfm
2
vulnerability VCID-2s8m-ujzb-skd1
3
vulnerability VCID-bk92-66re-dkc5
4
vulnerability VCID-ed6y-c9tz-mbds
5
vulnerability VCID-g33x-1paw-7udm
6
vulnerability VCID-hgb1-xrne-e7c8
7
vulnerability VCID-hwnd-nuv7-jqbh
8
vulnerability VCID-j21d-w3g7-cbcg
9
vulnerability VCID-jctf-yffu-hbag
10
vulnerability VCID-kam1-84p4-qych
11
vulnerability VCID-q4qx-7s1y-q3hc
12
vulnerability VCID-rdgr-yuu7-xkey
13
vulnerability VCID-syrg-ckq7-cbd6
14
vulnerability VCID-u4w3-usvb-jyf6
15
vulnerability VCID-vevm-4sfk-f7gq
16
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.7
1
url pkg:composer/drupal/core@9.5.0-beta1
purl pkg:composer/drupal/core@9.5.0-beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16ns-uqh5-d3gh
1
vulnerability VCID-1nf6-3q5b-gqfm
2
vulnerability VCID-2s8m-ujzb-skd1
3
vulnerability VCID-ed6y-c9tz-mbds
4
vulnerability VCID-g33x-1paw-7udm
5
vulnerability VCID-hgb1-xrne-e7c8
6
vulnerability VCID-hwnd-nuv7-jqbh
7
vulnerability VCID-j21d-w3g7-cbcg
8
vulnerability VCID-jctf-yffu-hbag
9
vulnerability VCID-kam1-84p4-qych
10
vulnerability VCID-q4qx-7s1y-q3hc
11
vulnerability VCID-rdgr-yuu7-xkey
12
vulnerability VCID-syrg-ckq7-cbd6
13
vulnerability VCID-u4w3-usvb-jyf6
14
vulnerability VCID-vevm-4sfk-f7gq
15
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.0-beta1
aliases CVE-2022-39261, GHSA-52m2-vc4m-jj33
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ummk-h11z-bkaj
16
url VCID-vevm-4sfk-f7gq
vulnerability_id VCID-vevm-4sfk-f7gq
summary 
Drupal core Access bypass
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-55634
reference_id
reference_type
scores
0
value 0.00848
scoring_system epss
scoring_elements 0.7489
published_at 2026-04-18T12:55:00Z
1
value 0.00848
scoring_system epss
scoring_elements 0.74805
published_at 2026-04-02T12:55:00Z
2
value 0.00848
scoring_system epss
scoring_elements 0.74833
published_at 2026-04-04T12:55:00Z
3
value 0.00848
scoring_system epss
scoring_elements 0.74806
published_at 2026-04-07T12:55:00Z
4
value 0.00848
scoring_system epss
scoring_elements 0.74839
published_at 2026-04-08T12:55:00Z
5
value 0.00848
scoring_system epss
scoring_elements 0.74853
published_at 2026-04-09T12:55:00Z
6
value 0.00848
scoring_system epss
scoring_elements 0.74877
published_at 2026-04-11T12:55:00Z
7
value 0.00848
scoring_system epss
scoring_elements 0.74856
published_at 2026-04-12T12:55:00Z
8
value 0.00848
scoring_system epss
scoring_elements 0.74846
published_at 2026-04-13T12:55:00Z
9
value 0.00848
scoring_system epss
scoring_elements 0.74883
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-55634
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-55634
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-55634
4
reference_url https://www.drupal.org/sa-core-2024-004
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-11T16:38:29Z/
url https://www.drupal.org/sa-core-2024-004
5
reference_url https://github.com/advisories/GHSA-7cwc-fjqm-8vh8
reference_id GHSA-7cwc-fjqm-8vh8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7cwc-fjqm-8vh8
fixed_packages
0
url pkg:composer/drupal/core@10.2.11
purl pkg:composer/drupal/core@10.2.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.11
1
url pkg:composer/drupal/core@10.3.9
purl pkg:composer/drupal/core@10.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.9
2
url pkg:composer/drupal/core@11.0.8
purl pkg:composer/drupal/core@11.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-j21d-w3g7-cbcg
5
vulnerability VCID-kam1-84p4-qych
6
vulnerability VCID-syrg-ckq7-cbd6
7
vulnerability VCID-vrdx-165p-efda
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.8
aliases CVE-2024-55634, GHSA-7cwc-fjqm-8vh8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vevm-4sfk-f7gq
17
url VCID-vrdx-165p-efda
vulnerability_id VCID-vrdx-165p-efda
summary 
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-3057
reference_id
reference_type
scores
0
value 0.00406
scoring_system epss
scoring_elements 0.61022
published_at 2026-04-07T12:55:00Z
1
value 0.00406
scoring_system epss
scoring_elements 0.61123
published_at 2026-04-18T12:55:00Z
2
value 0.00406
scoring_system epss
scoring_elements 0.61116
published_at 2026-04-16T12:55:00Z
3
value 0.00406
scoring_system epss
scoring_elements 0.61074
published_at 2026-04-13T12:55:00Z
4
value 0.00406
scoring_system epss
scoring_elements 0.61093
published_at 2026-04-12T12:55:00Z
5
value 0.00406
scoring_system epss
scoring_elements 0.61107
published_at 2026-04-11T12:55:00Z
6
value 0.00406
scoring_system epss
scoring_elements 0.61028
published_at 2026-04-02T12:55:00Z
7
value 0.00406
scoring_system epss
scoring_elements 0.61086
published_at 2026-04-09T12:55:00Z
8
value 0.00406
scoring_system epss
scoring_elements 0.61056
published_at 2026-04-04T12:55:00Z
9
value 0.00406
scoring_system epss
scoring_elements 0.6107
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-3057
1
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3057
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3057
3
reference_url https://www.drupal.org/sa-core-2025-001
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-01T13:26:50Z/
url https://www.drupal.org/sa-core-2025-001
4
reference_url https://github.com/advisories/GHSA-39g6-x4x8-5jcm
reference_id GHSA-39g6-x4x8-5jcm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-39g6-x4x8-5jcm
fixed_packages
0
url pkg:composer/drupal/core@10.3.13
purl pkg:composer/drupal/core@10.3.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.3.13
1
url pkg:composer/drupal/core@10.4.3
purl pkg:composer/drupal/core@10.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.3
2
url pkg:composer/drupal/core@11.0.12
purl pkg:composer/drupal/core@11.0.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.0.12
3
url pkg:composer/drupal/core@11.1.3
purl pkg:composer/drupal/core@11.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ed6y-c9tz-mbds
1
vulnerability VCID-g33x-1paw-7udm
2
vulnerability VCID-hgb1-xrne-e7c8
3
vulnerability VCID-hwnd-nuv7-jqbh
4
vulnerability VCID-syrg-ckq7-cbd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.3
aliases CVE-2025-3057, GHSA-39g6-x4x8-5jcm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vrdx-165p-efda
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.4