{"url":"http://public2.vulnerablecode.io/api/packages/420058?format=json","purl":"pkg:composer/drupal/drupal@8.6.1","type":"composer","namespace":"drupal","name":"drupal","version":"8.6.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.2.11","latest_non_vulnerable_version":"11.0.8","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14595?format=json","vulnerability_id":"VCID-116e-fchv-qfhb","summary":"Drupal Anonymous Open Redirect\nDrupal core and contributed modules frequently use a \"destination\" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-3.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-3.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-x6v2-xmrq-574j","reference_id":"GHSA-x6v2-xmrq-574j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x6v2-xmrq-574j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-x6v2-xmrq-574j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-116e-fchv-qfhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118818?format=json","vulnerability_id":"VCID-1jr4-f1rq-3kgj","summary":"Improper Access Control\nIn some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-62"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1jr4-f1rq-3kgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35323?format=json","vulnerability_id":"VCID-2m8s-mngh-gueq","summary":"Improper input validation in Drupal core\nDrupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.\n\nDrupal 7 is not affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25273","reference_id":"","reference_type":"","scores":[{"value":"0.00474","scoring_system":"epss","scoring_elements":"0.65049","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25273"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273"},{"reference_url":"https://www.drupal.org/sa-core-2022-008","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:19:11Z/"}],"url":"https://www.drupal.org/sa-core-2022-008"},{"reference_url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9","reference_id":"GHSA-g36h-4jr6-qmm9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372687?format=json","purl":"pkg:composer/drupal/drupal@9.2.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-wzgy-85ks-6qh6"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/372682?format=json","purl":"pkg:composer/drupal/drupal@9.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-wzgy-85ks-6qh6"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.12"}],"aliases":["CVE-2022-25273","GHSA-g36h-4jr6-qmm9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2m8s-mngh-gueq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118815?format=json","vulnerability_id":"VCID-2nnn-fzje-cydp","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nExternal URL injection through URL aliases in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-59"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2nnn-fzje-cydp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47962?format=json","vulnerability_id":"VCID-3d5q-yw99-qyce","summary":"Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data\nIn Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6338","reference_id":"","reference_type":"","scores":[{"value":"0.01047","scoring_system":"epss","scoring_elements":"0.778","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6338","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6338"},{"reference_url":"https://www.debian.org/security/2019/dsa-4370","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4370"},{"reference_url":"https://www.drupal.org/sa-core-2019-001","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-001"},{"reference_url":"http://www.securityfocus.com/bid/106706","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/106706"},{"reference_url":"https://github.com/advisories/GHSA-6rmq-x2hv-vxpp","reference_id":"GHSA-6rmq-x2hv-vxpp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6rmq-x2hv-vxpp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82999?format=json","purl":"pkg:composer/drupal/drupal@8.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.6"}],"aliases":["CVE-2019-6338","GHSA-6rmq-x2hv-vxpp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3d5q-yw99-qyce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15069?format=json","vulnerability_id":"VCID-4pff-9rwm-5fb7","summary":"Drupal External URL injection through URL aliases leading to Open Redirect\nThe path module in Drupal allows users with the 'administer paths' to create pretty URLs for content.\nIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-2.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-2.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-r67r-42wx-c8r7","reference_id":"GHSA-r67r-42wx-c8r7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r67r-42wx-c8r7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-r67r-42wx-c8r7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4pff-9rwm-5fb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50644?format=json","vulnerability_id":"VCID-5fdy-nm25-dug6","summary":"Cross-site Scripting in Drupal Core\nAccess Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13668","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44928","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13668"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8"},{"reference_url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb"},{"reference_url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668"},{"reference_url":"https://www.drupal.org/sa-core-2020-009","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-009"},{"reference_url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h","reference_id":"GHSA-m6q5-wv4x-fv6h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86713?format=json","purl":"pkg:composer/drupal/drupal@8.8.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/86714?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/86715?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13668","GHSA-m6q5-wv4x-fv6h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fdy-nm25-dug6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118857?format=json","vulnerability_id":"VCID-5g2g-y1ra-z7d1","summary":"Improper Access Control in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-58"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5g2g-y1ra-z7d1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50821?format=json","vulnerability_id":"VCID-5va2-3cbt-5kf4","summary":"Drupal core Cross-site Scripting (XSS) vulnerability\nCross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13672","reference_id":"","reference_type":"","scores":[{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68405","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13672"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13672","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13672"},{"reference_url":"https://www.drupal.org/sa-core-2021-002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2021-002"},{"reference_url":"https://security.archlinux.org/AVG-1463","reference_id":"AVG-1463","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1463"},{"reference_url":"https://github.com/advisories/GHSA-3m36-mjwj-352c","reference_id":"GHSA-3m36-mjwj-352c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m36-mjwj-352c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87207?format=json","purl":"pkg:composer/drupal/drupal@8.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.14"},{"url":"http://public2.vulnerablecode.io/api/packages/87208?format=json","purl":"pkg:composer/drupal/drupal@9.0.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/87209?format=json","purl":"pkg:composer/drupal/drupal@9.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.7"}],"aliases":["CVE-2020-13672","GHSA-3m36-mjwj-352c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5va2-3cbt-5kf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41651?format=json","vulnerability_id":"VCID-auz2-9sxn-uqbv","summary":"Drupal core Unrestricted Upload of File with Dangerous Type\nDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"0.04504","scoring_system":"epss","scoring_elements":"0.89303","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13671"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671"},{"reference_url":"https://www.drupal.org/sa-core-2020-012","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/"}],"url":"https://www.drupal.org/sa-core-2020-012"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/","reference_id":"5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/"},{"reference_url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw","reference_id":"GHSA-68jc-v27h-vhmw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/","reference_id":"KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/"},{"reference_url":"https://usn.ubuntu.com/6981-1/","reference_id":"USN-6981-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6981-1/"},{"reference_url":"https://usn.ubuntu.com/6981-2/","reference_id":"USN-6981-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6981-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75314?format=json","purl":"pkg:composer/drupal/drupal@8.8.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.11"},{"url":"http://public2.vulnerablecode.io/api/packages/75315?format=json","purl":"pkg:composer/drupal/drupal@8.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.9"},{"url":"http://public2.vulnerablecode.io/api/packages/75316?format=json","purl":"pkg:composer/drupal/drupal@9.0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.8"}],"aliases":["CVE-2020-13671","GHSA-68jc-v27h-vhmw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-auz2-9sxn-uqbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9840?format=json","vulnerability_id":"VCID-cxka-stdd-2kem","summary":"Drupal core Access bypass\nDrupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55634","reference_id":"","reference_type":"","scores":[{"value":"0.01148","scoring_system":"epss","scoring_elements":"0.78778","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55634"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55634","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55634"},{"reference_url":"https://www.drupal.org/sa-core-2024-004","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-11T16:38:29Z/"}],"url":"https://www.drupal.org/sa-core-2024-004"},{"reference_url":"https://github.com/advisories/GHSA-7cwc-fjqm-8vh8","reference_id":"GHSA-7cwc-fjqm-8vh8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7cwc-fjqm-8vh8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23907?format=json","purl":"pkg:composer/drupal/drupal@10.2.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/23915?format=json","purl":"pkg:composer/drupal/drupal@10.3.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/23998?format=json","purl":"pkg:composer/drupal/drupal@11.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@11.0.8"}],"aliases":["CVE-2024-55634","GHSA-7cwc-fjqm-8vh8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cxka-stdd-2kem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48375?format=json","vulnerability_id":"VCID-cznm-4t76-nqe8","summary":"Symfony Cross-site Scripting (XSS) vulnerability\nIn Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10909","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58025","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10909"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19789","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19789"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10910","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10910"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10909","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10909"},{"reference_url":"https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine"},{"reference_url":"https://symfony.com/cve-2019-10909","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2019-10909"},{"reference_url":"https://www.drupal.org/sa-core-2019-005","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-005"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_19","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_19"},{"reference_url":"https://github.com/advisories/GHSA-g996-q5r8-w7g2","reference_id":"GHSA-g996-q5r8-w7g2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g996-q5r8-w7g2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83468?format=json","purl":"pkg:composer/drupal/drupal@8.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.15"}],"aliases":["CVE-2019-10909","GHSA-g996-q5r8-w7g2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cznm-4t76-nqe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14620?format=json","vulnerability_id":"VCID-ehkb-t1ez-87b2","summary":"Drupal Content moderation Access bypass\nIn some conditions, drupal content moderation fails to check a users access to use certain transitions, leading to an access bypass.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-1.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-86xw-vmcx-9mj4","reference_id":"GHSA-86xw-vmcx-9mj4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-86xw-vmcx-9mj4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-86xw-vmcx-9mj4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ehkb-t1ez-87b2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10946?format=json","vulnerability_id":"VCID-gcq4-ecex-4bev","summary":"Drupal Full Path Disclosure\n`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45440","reference_id":"","reference_type":"","scores":[{"value":"0.86689","scoring_system":"epss","scoring_elements":"0.99436","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45440"},{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/github/advisory-database/pull/4827","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-database/pull/4827"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45440","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45440"},{"reference_url":"https://senscybersecurity.nl/CVE-2024-45440-Explained","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://senscybersecurity.nl/CVE-2024-45440-Explained"},{"reference_url":"https://www.drupal.org/project/drupal/issues/3457781","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/"}],"url":"https://www.drupal.org/project/drupal/issues/3457781"},{"reference_url":"https://www.drupal.org/project/drupal/releases/10.2.9","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/project/drupal/releases/10.2.9"},{"reference_url":"https://www.drupal.org/project/drupal/releases/10.3.6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/project/drupal/releases/10.3.6"},{"reference_url":"https://www.drupal.org/project/drupal/releases/11.0.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/project/drupal/releases/11.0.5"},{"reference_url":"https://www.exploit-db.com/exploits/52266","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/52266"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py","reference_id":"CVE-2024-45440","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py"},{"reference_url":"https://senscybersecurity.nl/CVE-2024-45440-Explained/","reference_id":"CVE-2024-45440-Explained","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/"}],"url":"https://senscybersecurity.nl/CVE-2024-45440-Explained/"},{"reference_url":"https://github.com/advisories/GHSA-mg8j-w93w-xjgc","reference_id":"GHSA-mg8j-w93w-xjgc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mg8j-w93w-xjgc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29014?format=json","purl":"pkg:composer/drupal/drupal@10.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/722379?format=json","purl":"pkg:composer/drupal/drupal@10.3.0-beta1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.3.0-beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/28947?format=json","purl":"pkg:composer/drupal/drupal@10.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/722382?format=json","purl":"pkg:composer/drupal/drupal@11.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@11.0.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/28949?format=json","purl":"pkg:composer/drupal/drupal@11.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@11.0.5"}],"aliases":["CVE-2024-45440","GHSA-mg8j-w93w-xjgc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gcq4-ecex-4bev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42289?format=json","vulnerability_id":"VCID-gmw7-aj3y-eqed","summary":"Directory Traversal in typo3/phar-stream-wrapper\nThe PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11831","reference_id":"","reference_type":"","scores":[{"value":"0.09532","scoring_system":"epss","scoring_elements":"0.92976","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11831"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11831","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11831"},{"reference_url":"https://seclists.org/bugtraq/2019/May/36","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/May/36"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-psa-2019-007"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-007/","reference_id":"","reference_type":"","scores":[],"url":"https://typo3.org/security/advisory/typo3-psa-2019-007/"},{"reference_url":"https://www.debian.org/security/2019/dsa-4445","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4445"},{"reference_url":"https://www.drupal.org/sa-core-2019-007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-007"},{"reference_url":"https://www.drupal.org/SA-CORE-2019-007","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2019-007"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_22","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_22"},{"reference_url":"http://www.securityfocus.com/bid/108302","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/108302"},{"reference_url":"https://github.com/advisories/GHSA-xv7v-rf6g-xwrc","reference_id":"GHSA-xv7v-rf6g-xwrc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xv7v-rf6g-xwrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76377?format=json","purl":"pkg:composer/drupal/drupal@8.6.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.16"},{"url":"http://public2.vulnerablecode.io/api/packages/76379?format=json","purl":"pkg:composer/drupal/drupal@8.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.1"}],"aliases":["CVE-2019-11831","GHSA-xv7v-rf6g-xwrc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmw7-aj3y-eqed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61103?format=json","vulnerability_id":"VCID-gsxj-r5ww-jqb3","summary":"Drupal Core Remote Code Execution Vulnerability\nSome field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6340","reference_id":"","reference_type":"","scores":[{"value":"0.9441","scoring_system":"epss","scoring_elements":"0.99979","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6340"},{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6340","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6340"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340"},{"reference_url":"https://www.drupal.org/sa-core-2019-003","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.drupal.org/sa-core-2019-003"},{"reference_url":"https://www.exploit-db.com/exploits/46452","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46452"},{"reference_url":"https://www.exploit-db.com/exploits/46459","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46459"},{"reference_url":"https://www.exploit-db.com/exploits/46510","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46510"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_09","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_09"},{"reference_url":"http://www.securityfocus.com/bid/107106","reference_id":"107106","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"http://www.securityfocus.com/bid/107106"},{"reference_url":"https://www.exploit-db.com/exploits/46452/","reference_id":"46452","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.exploit-db.com/exploits/46452/"},{"reference_url":"https://www.exploit-db.com/exploits/46459/","reference_id":"46459","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.exploit-db.com/exploits/46459/"},{"reference_url":"https://www.exploit-db.com/exploits/46510/","reference_id":"46510","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.exploit-db.com/exploits/46510/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46510.rb","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46510.rb"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46452.txt","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46452.txt"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46459.py","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46459.py"},{"reference_url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/6ff18828c0273b7170469939a49e4b063d561799/modules/exploits/unix/webapp/drupal_restws_unserialize.rb","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/6ff18828c0273b7170469939a49e4b063d561799/modules/exploits/unix/webapp/drupal_restws_unserialize.rb"},{"reference_url":"https://www.ambionics.io/blog/drupal8-rce","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://www.ambionics.io/blog/drupal8-rce"},{"reference_url":"https://github.com/advisories/GHSA-3gx6-h57h-rm27","reference_id":"GHSA-3gx6-h57h-rm27","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3gx6-h57h-rm27"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/174318?format=json","purl":"pkg:composer/drupal/drupal@8.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.10"}],"aliases":["CVE-2019-6340","GHSA-3gx6-h57h-rm27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gsxj-r5ww-jqb3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14338?format=json","vulnerability_id":"VCID-j3gm-p2gw-yyf3","summary":"Drupal core Remote Code Execution\nIn Drupal core, when sending email some variables were not being sanitized for shell arguments in `DefaultMailSystem::mail()`, which could lead to remote code execution.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-jf8c-36vw-98x4","reference_id":"GHSA-jf8c-36vw-98x4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf8c-36vw-98x4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-jf8c-36vw-98x4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j3gm-p2gw-yyf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14728?format=json","vulnerability_id":"VCID-kfpf-58rs-7yh3","summary":"Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar\nThe Drupal project uses the third-party library [Archive_Tar](https://pear.php.net/package/Archive_Tar/), which has released a security improvement that is needed to protect some Drupal configurations.\n\nMultiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.\n\nThe latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-4.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-4.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-012","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-012"},{"reference_url":"https://github.com/advisories/GHSA-m9fv-whq2-6wmc","reference_id":"GHSA-m9fv-whq2-6wmc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m9fv-whq2-6wmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40911?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/40912?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-8nzc-yz4r-xfh5"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-m9fv-whq2-6wmc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kfpf-58rs-7yh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50673?format=json","vulnerability_id":"VCID-mcr7-epdy-5fb6","summary":"Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor\nCross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13669","reference_id":"","reference_type":"","scores":[{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42356","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13669"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669"},{"reference_url":"https://www.drupal.org/sa-core-2020-010","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-010"},{"reference_url":"https://github.com/advisories/GHSA-c533-c843-67h8","reference_id":"GHSA-c533-c843-67h8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c533-c843-67h8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86713?format=json","purl":"pkg:composer/drupal/drupal@8.8.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/86714?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/86715?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13669","GHSA-c533-c843-67h8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mcr7-epdy-5fb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14708?format=json","vulnerability_id":"VCID-nnnh-rx8s-mfhy","summary":"Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution\nThe Contextual Links module doesn't sufficiently validate the requested contextual links.\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access contextual links\".","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-5.yaml","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-5.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-jjx7-8462-w4m4","reference_id":"GHSA-jjx7-8462-w4m4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjx7-8462-w4m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-jjx7-8462-w4m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nnnh-rx8s-mfhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49913?format=json","vulnerability_id":"VCID-nvuq-z8gx-pkby","summary":"Arbitrary PHP code execution in Drupal\nIn Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6, and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in\nPHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6339","reference_id":"","reference_type":"","scores":[{"value":"0.76091","scoring_system":"epss","scoring_elements":"0.98942","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6339"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6339","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6339"},{"reference_url":"https://www.debian.org/security/2019/dsa-4370","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4370"},{"reference_url":"https://www.drupal.org/sa-core-2019-002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-002"},{"reference_url":"https://github.com/advisories/GHSA-8cw5-rv98-5c46","reference_id":"GHSA-8cw5-rv98-5c46","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8cw5-rv98-5c46"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82999?format=json","purl":"pkg:composer/drupal/drupal@8.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.6"}],"aliases":["CVE-2019-6339","GHSA-8cw5-rv98-5c46"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nvuq-z8gx-pkby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35469?format=json","vulnerability_id":"VCID-q246-xubs-buds","summary":"Access bypass in Drupal Core\nDrupal core form API evaluates form element access incorrectly. This can lead to a user being able to alter data they should not have access to.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25278","reference_id":"","reference_type":"","scores":[{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.66063","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25278"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278"},{"reference_url":"https://www.drupal.org/sa-core-2022-013","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:39:47Z/"}],"url":"https://www.drupal.org/sa-core-2022-013"},{"reference_url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85","reference_id":"GHSA-cfh2-7f6h-3m85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372679?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/372680?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wuvf-1n1t-4uav"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25278","GHSA-cfh2-7f6h-3m85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q246-xubs-buds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14639?format=json","vulnerability_id":"VCID-rfc5-ndu6-zqbb","summary":"Drupal core uses a vulnerable Third-party library CKEditor\nThe Drupal project uses the third-party library [CKEditor](https://github.com/ckeditor/ckeditor4), which has released a [security improvement](https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed) that is needed to protect some Drupal configurations.\n\nVulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.\n\nThe latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-03-18.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-03-18.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2020-001","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-001"},{"reference_url":"https://github.com/advisories/GHSA-337w-fxpq-5m34","reference_id":"GHSA-337w-fxpq-5m34","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-337w-fxpq-5m34"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42184?format=json","purl":"pkg:composer/drupal/drupal@8.7.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.12"},{"url":"http://public2.vulnerablecode.io/api/packages/42189?format=json","purl":"pkg:composer/drupal/drupal@8.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-8nzc-yz4r-xfh5"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.4"}],"aliases":["GHSA-337w-fxpq-5m34"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rfc5-ndu6-zqbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118820?format=json","vulnerability_id":"VCID-ryv6-4ycg-9ubs","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nAnonymous Open Redirect in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-60"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ryv6-4ycg-9ubs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14336?format=json","vulnerability_id":"VCID-styf-qkwt-27ax","summary":"Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library\nThe Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2021-05-26.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2021-05-26.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2021-005","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2021-005"},{"reference_url":"https://github.com/advisories/GHSA-qf65-hph9-453r","reference_id":"GHSA-qf65-hph9-453r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qf65-hph9-453r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40996?format=json","purl":"pkg:composer/drupal/drupal@8.9.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.16"},{"url":"http://public2.vulnerablecode.io/api/packages/40997?format=json","purl":"pkg:composer/drupal/drupal@9.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/40999?format=json","purl":"pkg:composer/drupal/drupal@9.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-8yuh-edzb-6bgv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-bp2y-fdjq-a3dv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-hb4u-drn4-wqae"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-wzgy-85ks-6qh6"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zfbr-ztum-9qah"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.2.4"}],"aliases":["GHSA-qf65-hph9-453r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-styf-qkwt-27ax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118817?format=json","vulnerability_id":"VCID-tvvs-2wsf-fqfw","summary":"Code Injection\nInjection in `DefaultMailSystem::mail()`.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41006?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-3d5q-yw99-qyce"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-gsxj-r5ww-jqb3"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-nvuq-z8gx-pkby"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-urcr-8ftt-1yav"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-61"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tvvs-2wsf-fqfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/119610?format=json","vulnerability_id":"VCID-urcr-8ftt-1yav","summary":"Cross-site Scripting vulnerability in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370282?format=json","purl":"pkg:composer/drupal/drupal@8.6.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xcbr-2cq9-r3g4"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.12"}],"aliases":["GMS-2019-148"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-urcr-8ftt-1yav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35551?format=json","vulnerability_id":"VCID-wqau-9s1h-mfa2","summary":"Lack of domain validation in Druple core\nThe Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.\n\nDrupal 7 core does not include the Media module and therefore is not affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25276","reference_id":"","reference_type":"","scores":[{"value":"0.02253","scoring_system":"epss","scoring_elements":"0.84862","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25276"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276"},{"reference_url":"https://www.drupal.org/sa-core-2022-015","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2022-015"},{"reference_url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx","reference_id":"GHSA-4wfq-jc9h-vpcx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372679?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/372680?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wuvf-1n1t-4uav"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25276","GHSA-4wfq-jc9h-vpcx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqau-9s1h-mfa2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50991?format=json","vulnerability_id":"VCID-wrqz-n4m4-4kad","summary":"Drupal core Information Disclosure vulnerability\nIn some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.\n\nAccess to a non-public file is checked only if it is stored in the \"private\" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.\n\nThis vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) `$config['image.settings']['allow_insecure_derivatives']` or (Drupal 7) `$conf['image_allow_insecure_derivatives']` to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.\n\nSome sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25275","reference_id":"","reference_type":"","scores":[{"value":"0.00496","scoring_system":"epss","scoring_elements":"0.66099","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25275"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf"},{"reference_url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275"},{"reference_url":"https://www.drupal.org/sa-core-2022-012","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:45:46Z/"}],"url":"https://www.drupal.org/sa-core-2022-012"},{"reference_url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3","reference_id":"GHSA-xh3v-6f9j-wxw3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372679?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/372680?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wuvf-1n1t-4uav"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25275","GHSA-xh3v-6f9j-wxw3","GMS-2022-3362"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wrqz-n4m4-4kad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51622?format=json","vulnerability_id":"VCID-x6tq-ndbs-8kah","summary":"Improper Input Validation in guzzlehttp/psr7\n### Impact\n\nImproper header parsing. An attacker could sneak in a carriage return character (`\\r`) and pass untrusted values in both the header names and values.\n\n### Patches\n\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775","reference_id":"","reference_type":"","scores":[{"value":"0.00931","scoring_system":"epss","scoring_elements":"0.76439","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml"},{"reference_url":"https://github.com/guzzle/psr7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7"},{"reference_url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1"},{"reference_url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"},{"reference_url":"https://www.drupal.org/sa-core-2022-006","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://www.drupal.org/sa-core-2022-006"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236","reference_id":"1008236","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236"},{"reference_url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://usn.ubuntu.com/6670-1/","reference_id":"USN-6670-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6670-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371520?format=json","purl":"pkg:composer/drupal/drupal@9.2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-wzgy-85ks-6qh6"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/532628?format=json","purl":"pkg:composer/drupal/drupal@9.3.0-alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/371521?format=json","purl":"pkg:composer/drupal/drupal@9.3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-8118-a26x-cbge"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-wzgy-85ks-6qh6"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/532631?format=json","purl":"pkg:composer/drupal/drupal@10.0.0-alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.0.0-alpha1"}],"aliases":["CVE-2022-24775","GHSA-q7rv-6hp3-vh96"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x6tq-ndbs-8kah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54726?format=json","vulnerability_id":"VCID-xcbr-2cq9-r3g4","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6341","reference_id":"","reference_type":"","scores":[{"value":"0.47079","scoring_system":"epss","scoring_elements":"0.9773","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6341"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6341.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6341.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6341.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6341.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6341","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6341"},{"reference_url":"https://www.drupal.org/sa-core-2019-004","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-004"},{"reference_url":"https://www.drupal.org/SA-CORE-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2019-004"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_13","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_13"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/181905?format=json","purl":"pkg:composer/drupal/drupal@8.6.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-cznm-4t76-nqe8"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-gmw7-aj3y-eqed"},{"vulnerability":"VCID-kfpf-58rs-7yh3"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-xq2m-q4fc-yfh4"},{"vulnerability":"VCID-y3fw-p7s3-k7g5"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"},{"vulnerability":"VCID-zy6y-cgx2-kbgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.13"}],"aliases":["CVE-2019-6341","GHSA-cmmh-8mwp-gq5p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xcbr-2cq9-r3g4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14560?format=json","vulnerability_id":"VCID-xq2m-q4fc-yfh4","summary":"Drupal core Denial of Service\nA visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-1.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-009","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-009"},{"reference_url":"https://github.com/advisories/GHSA-w333-5f96-mjrr","reference_id":"GHSA-w333-5f96-mjrr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w333-5f96-mjrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40911?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/40912?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-8nzc-yz4r-xfh5"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-w333-5f96-mjrr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xq2m-q4fc-yfh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15085?format=json","vulnerability_id":"VCID-y3fw-p7s3-k7g5","summary":"Drupal core Access control bypass\nThe Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.\n\n### Solution: \nIf you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.\nIf you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.\nVersions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.\n\nAlternatively, you may mitigate this vulnerability by unchecking the \"Enable advanced UI\" checkbox on `/admin/config/media/media-library`. (This mitigation is not available in 8.7.x.)","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-011","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-011"},{"reference_url":"https://github.com/advisories/GHSA-5x28-3f32-x523","reference_id":"GHSA-5x28-3f32-x523","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5x28-3f32-x523"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40911?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/40912?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-8nzc-yz4r-xfh5"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-5x28-3f32-x523"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3fw-p7s3-k7g5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50490?format=json","vulnerability_id":"VCID-yvm8-bhy4-27b7","summary":"Exposure of Resource to Wrong Sphere in Drupal Core\nInformation Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13670","reference_id":"","reference_type":"","scores":[{"value":"0.00427","scoring_system":"epss","scoring_elements":"0.62611","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13670"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670"},{"reference_url":"https://www.drupal.org/sa-core-2020-011","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-011"},{"reference_url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4","reference_id":"GHSA-mmjr-5q74-p3m4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86713?format=json","purl":"pkg:composer/drupal/drupal@8.8.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/86714?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/86715?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13670","GHSA-mmjr-5q74-p3m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yvm8-bhy4-27b7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14584?format=json","vulnerability_id":"VCID-z7p4-r3jg-t3h7","summary":"Drupal core Arbitrary PHP code execution\nThe Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:\nCVE-2020-28948\nCVE-2020-28949\n\nMultiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.\n\nTo mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2020-013","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-013"},{"reference_url":"https://github.com/advisories/GHSA-j66p-fvp2-fxhj","reference_id":"GHSA-j66p-fvp2-fxhj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j66p-fvp2-fxhj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41639?format=json","purl":"pkg:composer/drupal/drupal@8.8.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.12"},{"url":"http://public2.vulnerablecode.io/api/packages/41646?format=json","purl":"pkg:composer/drupal/drupal@8.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.10"},{"url":"http://public2.vulnerablecode.io/api/packages/41652?format=json","purl":"pkg:composer/drupal/drupal@9.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-36rq-avts-1yat"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.9"}],"aliases":["GHSA-j66p-fvp2-fxhj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z7p4-r3jg-t3h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50979?format=json","vulnerability_id":"VCID-zcb4-c85n-hbed","summary":"Drupal core arbitrary PHP code execution\nDrupal core sanitizes filenames with dangerous extensions upon upload and strips leading and trailing dots from filenames to prevent uploading server configuration files.\n\nHowever, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers.\n\nThis issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25277","reference_id":"","reference_type":"","scores":[{"value":"0.03014","scoring_system":"epss","scoring_elements":"0.86829","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25277"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17"},{"reference_url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277"},{"reference_url":"https://www.drupal.org/sa-core-2022-014","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-03T18:41:13Z/"}],"url":"https://www.drupal.org/sa-core-2022-014"},{"reference_url":"https://github.com/advisories/GHSA-6955-67hm-vjjq","reference_id":"GHSA-6955-67hm-vjjq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6955-67hm-vjjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372679?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/372680?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wuvf-1n1t-4uav"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25277","GHSA-6955-67hm-vjjq","GMS-2022-3361"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zcb4-c85n-hbed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14292?format=json","vulnerability_id":"VCID-zy6y-cgx2-kbgm","summary":"Drupal Malicious file upload with filenames stating with dot\nDrupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.\n\nUsers with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.\n\nAfter this fix, file_save_upload() now trims leading and trailing dots from filenames.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-010","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-010"},{"reference_url":"https://github.com/advisories/GHSA-58xv-7h9r-mx3c","reference_id":"GHSA-58xv-7h9r-mx3c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-58xv-7h9r-mx3c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40911?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/40912?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2m8s-mngh-gueq"},{"vulnerability":"VCID-5fdy-nm25-dug6"},{"vulnerability":"VCID-5h8d-enm7-rqbw"},{"vulnerability":"VCID-5va2-3cbt-5kf4"},{"vulnerability":"VCID-7y6c-12pw-rkfg"},{"vulnerability":"VCID-8nzc-yz4r-xfh5"},{"vulnerability":"VCID-98gx-gkju-2yg9"},{"vulnerability":"VCID-auz2-9sxn-uqbv"},{"vulnerability":"VCID-axq4-dctg-gqaq"},{"vulnerability":"VCID-bdqk-f4sk-abf4"},{"vulnerability":"VCID-cxka-stdd-2kem"},{"vulnerability":"VCID-da4r-qg9c-a3g4"},{"vulnerability":"VCID-fm7k-bdez-sud9"},{"vulnerability":"VCID-gcq4-ecex-4bev"},{"vulnerability":"VCID-mcr7-epdy-5fb6"},{"vulnerability":"VCID-q246-xubs-buds"},{"vulnerability":"VCID-rfc5-ndu6-zqbb"},{"vulnerability":"VCID-styf-qkwt-27ax"},{"vulnerability":"VCID-t334-vgfv-cbdb"},{"vulnerability":"VCID-u2db-r83x-8ff9"},{"vulnerability":"VCID-wqau-9s1h-mfa2"},{"vulnerability":"VCID-wrqz-n4m4-4kad"},{"vulnerability":"VCID-x6tq-ndbs-8kah"},{"vulnerability":"VCID-yvm8-bhy4-27b7"},{"vulnerability":"VCID-z7p4-r3jg-t3h7"},{"vulnerability":"VCID-zcb4-c85n-hbed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-58xv-7h9r-mx3c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zy6y-cgx2-kbgm"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.1"}