Search for packages
| purl | pkg:composer/drupal/core@9.0.0-alpha1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-5jy9-mhbb-nuh7 | Deserialization of Untrusted Data Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. |
CVE-2020-28948
GHSA-jh5x-hfhg-78jq |
| VCID-67da-qxh5-aydx | multiple issues |
CVE-2020-36193
GHSA-rpw6-9xfx-jvcx |
| VCID-9dfs-rpqy-6kfa | Injection Vulnerability archive_tar has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. |
CVE-2020-28949
GHSA-75c5-f4gw-38r9 |
| VCID-tp81-dw6e-9qah | CKEditor 4.0 vulnerability in the HTML Data Processor A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14.0 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). |
CVE-2020-9281
GHSA-vcjf-mgcg-jxjq |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T20:43:18.654395+00:00 | GitLab Importer | Fixing | VCID-67da-qxh5-aydx | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-36193.yml | 38.6.0 |
| 2026-06-04T20:41:35.343901+00:00 | GitLab Importer | Fixing | VCID-9dfs-rpqy-6kfa | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-28949.yml | 38.6.0 |
| 2026-06-04T20:41:33.780047+00:00 | GitLab Importer | Fixing | VCID-5jy9-mhbb-nuh7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-28948.yml | 38.6.0 |
| 2026-06-04T20:27:54.462238+00:00 | GitLab Importer | Fixing | VCID-tp81-dw6e-9qah | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-9281.yml | 38.6.0 |