Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/drupal/core@8.6.0-beta1
purl pkg:composer/drupal/core@8.6.0-beta1
Next non-vulnerable version 9.4.14
Latest non-vulnerable version 11.2.8
Risk 4.5
Vulnerabilities affecting this package (21)
Vulnerability Summary Fixed by
VCID-163u-tpj9-skc5
Aliases:
GMS-2019-147
Cross-site Scripting vulnerability in drupal.
8.6.12
Affected by 16 other vulnerabilities.
VCID-1jfe-j1fz-juec
Aliases:
GMS-2018-54
URL Redirection to Untrusted Site ('Open Redirect') Anonymous Open Redirect in drupal.
8.6.2
Affected by 20 other vulnerabilities.
VCID-1xsh-7f63-v3df
Aliases:
CVE-2020-13672
GHSA-3m36-mjwj-352c
multiple issues
8.9.14
Affected by 6 other vulnerabilities.
9.0.12
Affected by 2 other vulnerabilities.
9.1.7
Affected by 6 other vulnerabilities.
VCID-49e1-axzk-3bdq
Aliases:
CVE-2020-13674
GHSA-j586-cj67-vg4p
multiple issues
8.9.19
Affected by 2 other vulnerabilities.
9.1.13
Affected by 2 other vulnerabilities.
9.2.6
Affected by 5 other vulnerabilities.
VCID-4p5n-ujzt-qfdx
Aliases:
CVE-2020-13669
GHSA-c533-c843-67h8
Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
8.8.10
Affected by 10 other vulnerabilities.
8.9.6
Affected by 11 other vulnerabilities.
9.0.6
Affected by 7 other vulnerabilities.
VCID-5qvn-f9d3-kygg
Aliases:
CVE-2022-39261
GHSA-52m2-vc4m-jj33
9.4.0-alpha1
Affected by 0 other vulnerabilities.
9.5.0-beta1
Affected by 0 other vulnerabilities.
VCID-757r-nv73-gfhg
Aliases:
GMS-2018-55
Code Injection Injection in `DefaultMailSystem::mail()`.
8.6.2
Affected by 20 other vulnerabilities.
VCID-7qhc-n6hc-ukbu
Aliases:
CVE-2019-11831
GHSA-xv7v-rf6g-xwrc
Moderately critical - Third-party libraries - SA-CORE-2019-007 The `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.
8.6.16
Affected by 12 other vulnerabilities.
8.7.1
Affected by 15 other vulnerabilities.
VCID-b2x6-54c3-jqa2
Aliases:
CVE-2022-24775
GHSA-q7rv-6hp3-vh96
Improper Input Validation guzzlehttp/psr7 is a PSR-7 HTTP message library used in drupal. Versions prior to 1.8.4 and 2.1.1 is vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values.
10.0.0-alpha1
Affected by 0 other vulnerabilities.
9.3.0-alpha1
Affected by 1 other vulnerability.
9.2.16
Affected by 2 other vulnerabilities.
9.3.9
Affected by 2 other vulnerabilities.
VCID-f687-ubdn-37en
Aliases:
CVE-2020-13670
GHSA-mmjr-5q74-p3m4
Exposure of Resource to Wrong Sphere Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
8.8.10
Affected by 10 other vulnerabilities.
8.9.6
Affected by 11 other vulnerabilities.
9.0.6
Affected by 7 other vulnerabilities.
VCID-j545-f44v-w3cn
Aliases:
CVE-2019-6339
GHSA-8cw5-rv98-5c46
Improper Input Validation A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.
8.6.6
Affected by 18 other vulnerabilities.
VCID-j59x-5swn-fuga
Aliases:
CVE-2020-13677
GHSA-3xr3-phjp-g6p2
multiple issues
8.9.19
Affected by 2 other vulnerabilities.
9.1.13
Affected by 2 other vulnerabilities.
9.2.6
Affected by 5 other vulnerabilities.
VCID-jgec-wuca-bbf1
Aliases:
CVE-2020-13671
GHSA-68jc-v27h-vhmw
Drupal core Unrestricted Upload of File with Dangerous Type Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
8.8.11
Affected by 9 other vulnerabilities.
8.9.9
Affected by 10 other vulnerabilities.
9.0.8
Affected by 6 other vulnerabilities.
VCID-n6tq-72g7-afdg
Aliases:
CVE-2020-13668
GHSA-m6q5-wv4x-fv6h
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
8.8.10
Affected by 10 other vulnerabilities.
8.9.6
Affected by 11 other vulnerabilities.
9.0.6
Affected by 7 other vulnerabilities.
VCID-nfzm-eyht-kkb1
Aliases:
GMS-2018-52
Improper Access Control in drupal.
8.6.2
Affected by 20 other vulnerabilities.
VCID-ngmk-qxmz-gkdz
Aliases:
CVE-2020-13675
GHSA-v8wr-r69p-mmwx
multiple issues
8.9.19
Affected by 2 other vulnerabilities.
9.1.13
Affected by 2 other vulnerabilities.
9.2.6
Affected by 5 other vulnerabilities.
VCID-re2h-u5bk-wqbw
Aliases:
GMS-2018-53
URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal.
8.6.2
Affected by 20 other vulnerabilities.
VCID-s6ek-bjnx-9fc1
Aliases:
CVE-2020-13676
GHSA-qfhg-m6r8-xxpj
multiple issues
8.9.19
Affected by 2 other vulnerabilities.
9.1.13
Affected by 2 other vulnerabilities.
9.2.6
Affected by 5 other vulnerabilities.
VCID-swh1-rvuw-jqfx
Aliases:
CVE-2020-28948
GHSA-jh5x-hfhg-78jq
8.9.10
Affected by 8 other vulnerabilities.
9.0.0-alpha1
Affected by 2 other vulnerabilities.
9.0.9
Affected by 4 other vulnerabilities.
9.1.0-alpha1
Affected by 2 other vulnerabilities.
VCID-vby4-6r8z-6qgy
Aliases:
GMS-2018-56
Improper Access Control In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.
8.6.2
Affected by 20 other vulnerabilities.
VCID-yy7m-f66v-fbhz
Aliases:
CVE-2019-6338
GHSA-6rmq-x2hv-vxpp
Deserialization of Untrusted Data Drupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.
8.6.6
Affected by 18 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-01T07:05:45.886172+00:00 GitLab Importer Affected by VCID-5qvn-f9d3-kygg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2022-39261.yml 38.6.0
2026-06-01T06:33:47.923543+00:00 GitLab Importer Affected by VCID-b2x6-54c3-jqa2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2022-24775.yml 38.6.0
2026-06-01T06:30:30.305624+00:00 GitLab Importer Affected by VCID-ngmk-qxmz-gkdz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13675.yml 38.6.0
2026-06-01T06:30:29.212051+00:00 GitLab Importer Affected by VCID-49e1-axzk-3bdq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13674.yml 38.6.0
2026-06-01T06:30:28.286724+00:00 GitLab Importer Affected by VCID-n6tq-72g7-afdg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13668.yml 38.6.0
2026-06-01T06:30:27.361592+00:00 GitLab Importer Affected by VCID-4p5n-ujzt-qfdx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13669.yml 38.6.0
2026-06-01T06:30:26.300960+00:00 GitLab Importer Affected by VCID-1xsh-7f63-v3df https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13672.yml 38.6.0
2026-06-01T06:30:24.073741+00:00 GitLab Importer Affected by VCID-j59x-5swn-fuga https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13677.yml 38.6.0
2026-06-01T06:30:22.958776+00:00 GitLab Importer Affected by VCID-f687-ubdn-37en https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13670.yml 38.6.0
2026-06-01T06:30:19.762988+00:00 GitLab Importer Affected by VCID-s6ek-bjnx-9fc1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13676.yml 38.6.0
2026-06-01T06:19:22.095297+00:00 GitLab Importer Affected by VCID-jgec-wuca-bbf1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-13671.yml 38.6.0
2026-06-01T05:59:02.414743+00:00 GitLab Importer Affected by VCID-swh1-rvuw-jqfx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-28948.yml 38.6.0
2026-05-31T09:56:15.040934+00:00 GitLab Importer Affected by VCID-7qhc-n6hc-ukbu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-11831.yml 38.6.0
2026-05-31T09:54:49.555382+00:00 GitLab Importer Affected by VCID-163u-tpj9-skc5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2019-147.yml 38.6.0
2026-05-31T09:53:12.761870+00:00 GitLab Importer Affected by VCID-j545-f44v-w3cn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-6339.yml 38.6.0
2026-05-31T09:53:12.158809+00:00 GitLab Importer Affected by VCID-yy7m-f66v-fbhz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-6338.yml 38.6.0
2026-05-31T09:51:24.240477+00:00 GitLab Importer Affected by VCID-757r-nv73-gfhg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-55.yml 38.6.0
2026-05-31T09:51:18.511273+00:00 GitLab Importer Affected by VCID-nfzm-eyht-kkb1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-52.yml 38.6.0
2026-05-31T09:51:17.606664+00:00 GitLab Importer Affected by VCID-1jfe-j1fz-juec https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-54.yml 38.6.0
2026-05-31T09:51:11.330780+00:00 GitLab Importer Affected by VCID-re2h-u5bk-wqbw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-53.yml 38.6.0
2026-05-31T09:51:08.917728+00:00 GitLab Importer Affected by VCID-vby4-6r8z-6qgy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-56.yml 38.6.0