Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/drupal/core@8.4.7

Type composer

Namespace drupal

Name core

Version 8.4.7

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 8.5.11

Latest_non_vulnerable_version 11.2.8

Affected_by_vulnerabilities

url VCID-1jfe-j1fz-juec

vulnerability_id VCID-1jfe-j1fz-juec

summary

URL Redirection to Untrusted Site ('Open Redirect')
Anonymous Open Redirect in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/core@8.6.2

purl pkg:composer/drupal/core@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2

aliases GMS-2018-54

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1jfe-j1fz-juec

url VCID-757r-nv73-gfhg

vulnerability_id VCID-757r-nv73-gfhg

summary

Code Injection
Injection in `DefaultMailSystem::mail()`.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/core@8.6.2

purl pkg:composer/drupal/core@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2

aliases GMS-2018-55

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-757r-nv73-gfhg

url VCID-j545-f44v-w3cn

vulnerability_id VCID-j545-f44v-w3cn

summary

Improper Input Validation
A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-6339

reference_id

reference_type

scores

value	0.76091
scoring_system	epss
scoring_elements	0.98943
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-6339

reference_url	https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

reference_url	https://www.debian.org/security/2019/dsa-4370
reference_id
reference_type
scores
url	https://www.debian.org/security/2019/dsa-4370

reference_url	https://www.drupal.org/sa-core-2019-002
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2019-002

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-6339
reference_id	CVE-2019-6339
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-6339

reference_url	https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml
reference_id	CVE-2019-6339.YAML
reference_type
scores
url	https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml

reference_url	https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml
reference_id	CVE-2019-6339.YAML
reference_type
scores
url	https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml

reference_url

https://github.com/advisories/GHSA-8cw5-rv98-5c46

reference_id

GHSA-8cw5-rv98-5c46

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8cw5-rv98-5c46

fixed_packages

url pkg:composer/drupal/core@8.5.9

purl pkg:composer/drupal/core@8.5.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.9

url	pkg:composer/drupal/core@8.6.6
purl	pkg:composer/drupal/core@8.6.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.6

aliases CVE-2019-6339, GHSA-8cw5-rv98-5c46

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j545-f44v-w3cn

url VCID-nfzm-eyht-kkb1

vulnerability_id VCID-nfzm-eyht-kkb1

summary Improper Access Control in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/core@8.6.2

purl pkg:composer/drupal/core@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2

aliases GMS-2018-52

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nfzm-eyht-kkb1

url VCID-re2h-u5bk-wqbw

vulnerability_id VCID-re2h-u5bk-wqbw

summary

URL Redirection to Untrusted Site ('Open Redirect')
External URL injection through URL aliases in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/core@8.6.2

purl pkg:composer/drupal/core@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2

aliases GMS-2018-53

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-re2h-u5bk-wqbw

url VCID-vby4-6r8z-6qgy

vulnerability_id VCID-vby4-6r8z-6qgy

summary

Improper Access Control
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

references

reference_url	https://www.drupal.org/sa-core-2018-006
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-006

fixed_packages

url pkg:composer/drupal/core@8.6.2

purl pkg:composer/drupal/core@8.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2

aliases GMS-2018-56

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vby4-6r8z-6qgy

url VCID-yy7m-f66v-fbhz

vulnerability_id VCID-yy7m-f66v-fbhz

summary

Deserialization of Untrusted Data
Drupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-6338

reference_id

reference_type

scores

value	0.01047
scoring_system	epss
scoring_elements	0.77808
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-6338

reference_url	https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html

reference_url	https://www.debian.org/security/2019/dsa-4370
reference_id
reference_type
scores
url	https://www.debian.org/security/2019/dsa-4370

reference_url	https://www.drupal.org/sa-core-2019-001
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2019-001

reference_url	http://www.securityfocus.com/bid/106706
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/106706

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-6338
reference_id	CVE-2019-6338
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-6338

reference_url	https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml
reference_id	CVE-2019-6338.YAML
reference_type
scores
url	https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml

reference_url

https://github.com/advisories/GHSA-6rmq-x2hv-vxpp

reference_id

GHSA-6rmq-x2hv-vxpp

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6rmq-x2hv-vxpp

fixed_packages

url	pkg:composer/drupal/core@8.6.6
purl	pkg:composer/drupal/core@8.6.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.6

aliases CVE-2019-6338, GHSA-6rmq-x2hv-vxpp

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yy7m-f66v-fbhz

Fixing_vulnerabilities

url VCID-51ze-a1zm-ukey

vulnerability_id VCID-51ze-a1zm-ukey

summary

XSS Vulnerability
CKEditor, a third-party JavaScript library included in Drupal core, is affected by a cross-site scripting (XSS) vulnerability. It's possible to execute XSS inside CKEditor when using the `image2` plugin.

references

reference_url	https://www.drupal.org/sa-core-2018-003
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-003

fixed_packages

url pkg:composer/drupal/core@8.4.7

purl pkg:composer/drupal/core@8.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.7

url pkg:composer/drupal/core@8.5.2

purl pkg:composer/drupal/core@8.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.2

aliases SA-CORE-2018-003

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-51ze-a1zm-ukey

url VCID-9ux4-434v-jbb9

vulnerability_id VCID-9ux4-434v-jbb9

summary

Cross-site Scripting
XSS vulnerabiltiy in drupal.

references

reference_url	https://www.drupal.org/sa-core-2018-003
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2018-003

fixed_packages

url pkg:composer/drupal/core@8.5.0-alpha1

purl pkg:composer/drupal/core@8.5.0-alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-51ze-a1zm-ukey

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.0-alpha1

url pkg:composer/drupal/core@8.4.7

purl pkg:composer/drupal/core@8.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.7

url pkg:composer/drupal/core@8.5.2

purl pkg:composer/drupal/core@8.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.2

aliases GMS-2018-51

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9ux4-434v-jbb9

url VCID-svhr-wt5d-xbbq

vulnerability_id VCID-svhr-wt5d-xbbq

summary

Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the Enhanced Image plugin for CKEditor.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-9861

reference_id

reference_type

scores

value	0.00369
scoring_system	epss
scoring_elements	0.59074
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-9861

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-9861
reference_id	CVE-2018-9861
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-9861

fixed_packages

url pkg:composer/drupal/core@8.4.7

purl pkg:composer/drupal/core@8.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.7

url pkg:composer/drupal/core@8.5.2

purl pkg:composer/drupal/core@8.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1jfe-j1fz-juec

vulnerability	VCID-757r-nv73-gfhg

vulnerability	VCID-j545-f44v-w3cn

vulnerability	VCID-nfzm-eyht-kkb1

vulnerability	VCID-re2h-u5bk-wqbw

vulnerability	VCID-vby4-6r8z-6qgy

vulnerability	VCID-yy7m-f66v-fbhz

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.2

aliases CVE-2018-9861

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-svhr-wt5d-xbbq

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.7

Package Instance