Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/drupal/core-recommended@8.2.0-beta2
purl pkg:composer/drupal/core-recommended@8.2.0-beta2
Next non-vulnerable version 8.9.13
Latest non-vulnerable version 11.0.8
Risk
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-5jy9-mhbb-nuh7
Aliases:
CVE-2020-28948
GHSA-jh5x-hfhg-78jq
Deserialization of Untrusted Data Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
8.9.10
Affected by 1 other vulnerability.
9.0.0-alpha1
Affected by 0 other vulnerabilities.
9.0.9
Affected by 1 other vulnerability.
9.1.0-alpha1
Affected by 0 other vulnerabilities.
VCID-9dfs-rpqy-6kfa
Aliases:
CVE-2020-28949
GHSA-75c5-f4gw-38r9
Injection Vulnerability archive_tar has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed.
8.9.10
Affected by 1 other vulnerability.
9.0.0-alpha1
Affected by 0 other vulnerabilities.
9.0.9
Affected by 1 other vulnerability.
9.1.0-alpha1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:41:36.242422+00:00 GitLab Importer Affected by VCID-9dfs-rpqy-6kfa https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28949.yml 38.6.0
2026-06-04T20:41:32.231467+00:00 GitLab Importer Affected by VCID-5jy9-mhbb-nuh7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28948.yml 38.6.0