{"url":"http://public2.vulnerablecode.io/api/packages/539542?format=json","purl":"pkg:composer/drupal/drupal@9.3.1","type":"composer","namespace":"drupal","name":"drupal","version":"9.3.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.3.19","latest_non_vulnerable_version":"11.0.8","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/169249?format=json","vulnerability_id":"VCID-91kw-xn5d-pbbe","summary":"Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29248","reference_id":"","reference_type":"","scores":[{"value":"0.00637","scoring_system":"epss","scoring_elements":"0.70959","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29248"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44854","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44854"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44855","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44855"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44856","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44856"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28201"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28202"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28203"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31042"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31043"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31090"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34911","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34911"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34912","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34912"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41767","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41767"},{"reference_url":"https://github.com/guzzle/guzzle","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/guzzle"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011636","reference_id":"1011636","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011636"},{"reference_url":"https://github.com/guzzle/guzzle/pull/3018","reference_id":"3018","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/"}],"url":"https://github.com/guzzle/guzzle/pull/3018"},{"reference_url":"https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab","reference_id":"74a8602c6faec9ef74b7a9391ac82c5e65b1cdab","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/"}],"url":"https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab"},{"reference_url":"https://security.archlinux.org/AVG-2823","reference_id":"AVG-2823","reference_type":"","scores":[{"value":"Unknown","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2823"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29248","reference_id":"CVE-2022-29248","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29248"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml","reference_id":"CVE-2022-29248.YAML","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml"},{"reference_url":"https://www.debian.org/security/2022/dsa-5246","reference_id":"dsa-5246","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/"}],"url":"https://www.debian.org/security/2022/dsa-5246"},{"reference_url":"https://github.com/advisories/GHSA-cwmx-hcrq-mhc3","reference_id":"GHSA-cwmx-hcrq-mhc3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwmx-hcrq-mhc3"},{"reference_url":"https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3","reference_id":"GHSA-cwmx-hcrq-mhc3","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/"}],"url":"https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3"},{"reference_url":"https://www.drupal.org/sa-core-2022-010","reference_id":"sa-core-2022-010","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:52:51Z/"}],"url":"https://www.drupal.org/sa-core-2022-010"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/569016?format=json","purl":"pkg:composer/drupal/drupal@9.4.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.0-alpha1"}],"aliases":["CVE-2022-29248","GHSA-cwmx-hcrq-mhc3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-91kw-xn5d-pbbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163477?format=json","vulnerability_id":"VCID-cdm9-t56e-83aj","summary":"Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25274","reference_id":"","reference_type":"","scores":[{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31838","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25274"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25274","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25274"},{"reference_url":"https://github.com/advisories/GHSA-7jr4-hgqx-vwgq","reference_id":"GHSA-7jr4-hgqx-vwgq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7jr4-hgqx-vwgq"},{"reference_url":"https://www.drupal.org/sa-core-2022-009","reference_id":"sa-core-2022-009","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:47:15Z/"}],"url":"https://www.drupal.org/sa-core-2022-009"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393435?format=json","purl":"pkg:composer/drupal/drupal@9.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-91kw-xn5d-pbbe"},{"vulnerability":"VCID-hdq9-fe9e-93hb"},{"vulnerability":"VCID-nhub-1map-n3by"},{"vulnerability":"VCID-wn4r-rc6m-xbhy"},{"vulnerability":"VCID-zymc-a812-1ua5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.12"}],"aliases":["CVE-2022-25274","GHSA-7jr4-hgqx-vwgq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cdm9-t56e-83aj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173496?format=json","vulnerability_id":"VCID-ed3c-h2ww-j3gm","summary":"guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775","reference_id":"","reference_type":"","scores":[{"value":"0.00931","scoring_system":"epss","scoring_elements":"0.76567","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775"},{"reference_url":"https://github.com/guzzle/psr7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236","reference_id":"1008236","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236"},{"reference_url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc","reference_id":"9a96d9db668b485361ed9de7b5bf1e54895df1dc","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775","reference_id":"CVE-2022-24775","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml","reference_id":"CVE-2022-24775.YAML","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml"},{"reference_url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1","reference_id":"e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1"},{"reference_url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://www.drupal.org/sa-core-2022-006","reference_id":"sa-core-2022-006","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://www.drupal.org/sa-core-2022-006"},{"reference_url":"https://usn.ubuntu.com/6670-1/","reference_id":"USN-6670-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6670-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392286?format=json","purl":"pkg:composer/drupal/drupal@9.3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-91kw-xn5d-pbbe"},{"vulnerability":"VCID-cdm9-t56e-83aj"},{"vulnerability":"VCID-hdq9-fe9e-93hb"},{"vulnerability":"VCID-nhub-1map-n3by"},{"vulnerability":"VCID-wn4r-rc6m-xbhy"},{"vulnerability":"VCID-zxut-nxke-7fce"},{"vulnerability":"VCID-zymc-a812-1ua5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/546042?format=json","purl":"pkg:composer/drupal/drupal@10.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.0.0-alpha1"}],"aliases":["CVE-2022-24775","GHSA-q7rv-6hp3-vh96"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ed3c-h2ww-j3gm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163547?format=json","vulnerability_id":"VCID-hdq9-fe9e-93hb","summary":"In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the \"private\" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25275","reference_id":"","reference_type":"","scores":[{"value":"0.00579","scoring_system":"epss","scoring_elements":"0.69346","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25275"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf"},{"reference_url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275","reference_id":"CVE-2022-25275","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml","reference_id":"CVE-2022-25275.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml"},{"reference_url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3","reference_id":"GHSA-xh3v-6f9j-wxw3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3"},{"reference_url":"https://www.drupal.org/sa-core-2022-012","reference_id":"sa-core-2022-012","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:45:46Z/"}],"url":"https://www.drupal.org/sa-core-2022-012"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393432?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/393433?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7669-dguj-2qfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25275","GHSA-xh3v-6f9j-wxw3","GMS-2022-3362"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hdq9-fe9e-93hb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163420?format=json","vulnerability_id":"VCID-nhub-1map-n3by","summary":"Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25277","reference_id":"","reference_type":"","scores":[{"value":"0.02448","scoring_system":"epss","scoring_elements":"0.85523","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25277"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17"},{"reference_url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277","reference_id":"CVE-2022-25277","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml","reference_id":"CVE-2022-25277.YAML","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml"},{"reference_url":"https://github.com/advisories/GHSA-6955-67hm-vjjq","reference_id":"GHSA-6955-67hm-vjjq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6955-67hm-vjjq"},{"reference_url":"https://www.drupal.org/sa-core-2022-014","reference_id":"sa-core-2022-014","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-03T18:41:13Z/"}],"url":"https://www.drupal.org/sa-core-2022-014"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393432?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/393433?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7669-dguj-2qfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25277","GHSA-6955-67hm-vjjq","GMS-2022-3361"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhub-1map-n3by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208224?format=json","vulnerability_id":"VCID-sdue-15dg-4ugt","summary":"Incorrect authorization in Drupal core","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25270","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.49088","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25270"},{"reference_url":"https://www.drupal.org/sa-core-2022-004","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2022-004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25270","reference_id":"CVE-2022-25270","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25270"},{"reference_url":"https://github.com/advisories/GHSA-73q4-j324-2qcc","reference_id":"GHSA-73q4-j324-2qcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-73q4-j324-2qcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/539547?format=json","purl":"pkg:composer/drupal/drupal@9.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-91kw-xn5d-pbbe"},{"vulnerability":"VCID-cdm9-t56e-83aj"},{"vulnerability":"VCID-ed3c-h2ww-j3gm"},{"vulnerability":"VCID-hdq9-fe9e-93hb"},{"vulnerability":"VCID-nhub-1map-n3by"},{"vulnerability":"VCID-wn4r-rc6m-xbhy"},{"vulnerability":"VCID-zxut-nxke-7fce"},{"vulnerability":"VCID-zymc-a812-1ua5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.6"}],"aliases":["CVE-2022-25270","GHSA-73q4-j324-2qcc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sdue-15dg-4ugt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163388?format=json","vulnerability_id":"VCID-wn4r-rc6m-xbhy","summary":"Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25278","reference_id":"","reference_type":"","scores":[{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65504","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25278"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278"},{"reference_url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85","reference_id":"GHSA-cfh2-7f6h-3m85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85"},{"reference_url":"https://www.drupal.org/sa-core-2022-013","reference_id":"sa-core-2022-013","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:39:47Z/"}],"url":"https://www.drupal.org/sa-core-2022-013"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393432?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/393433?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7669-dguj-2qfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25278","GHSA-cfh2-7f6h-3m85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wn4r-rc6m-xbhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208226?format=json","vulnerability_id":"VCID-yjm8-gadp-jkhr","summary":"Improper input validation in Drupal core","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25271","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58211","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25271"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"},{"reference_url":"https://www.drupal.org/sa-core-2022-003","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2022-003"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25271","reference_id":"CVE-2022-25271","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25271"},{"reference_url":"https://github.com/advisories/GHSA-fmfv-x8mp-5767","reference_id":"GHSA-fmfv-x8mp-5767","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fmfv-x8mp-5767"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/539547?format=json","purl":"pkg:composer/drupal/drupal@9.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-91kw-xn5d-pbbe"},{"vulnerability":"VCID-cdm9-t56e-83aj"},{"vulnerability":"VCID-ed3c-h2ww-j3gm"},{"vulnerability":"VCID-hdq9-fe9e-93hb"},{"vulnerability":"VCID-nhub-1map-n3by"},{"vulnerability":"VCID-wn4r-rc6m-xbhy"},{"vulnerability":"VCID-zxut-nxke-7fce"},{"vulnerability":"VCID-zymc-a812-1ua5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.6"}],"aliases":["CVE-2022-25271","GHSA-fmfv-x8mp-5767"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjm8-gadp-jkhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163574?format=json","vulnerability_id":"VCID-zxut-nxke-7fce","summary":"Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25273","reference_id":"","reference_type":"","scores":[{"value":"0.0047","scoring_system":"epss","scoring_elements":"0.65015","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25273"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273"},{"reference_url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9","reference_id":"GHSA-g36h-4jr6-qmm9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9"},{"reference_url":"https://www.drupal.org/sa-core-2022-008","reference_id":"sa-core-2022-008","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:19:11Z/"}],"url":"https://www.drupal.org/sa-core-2022-008"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393435?format=json","purl":"pkg:composer/drupal/drupal@9.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-91kw-xn5d-pbbe"},{"vulnerability":"VCID-hdq9-fe9e-93hb"},{"vulnerability":"VCID-nhub-1map-n3by"},{"vulnerability":"VCID-wn4r-rc6m-xbhy"},{"vulnerability":"VCID-zymc-a812-1ua5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.12"}],"aliases":["CVE-2022-25273","GHSA-g36h-4jr6-qmm9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zxut-nxke-7fce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/349116?format=json","vulnerability_id":"VCID-zymc-a812-1ua5","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25276","reference_id":"","reference_type":"","scores":[{"value":"0.01831","scoring_system":"epss","scoring_elements":"0.83322","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25276"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276"},{"reference_url":"https://www.drupal.org/sa-core-2022-015","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2022-015"},{"reference_url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx","reference_id":"GHSA-4wfq-jc9h-vpcx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393432?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/393433?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7669-dguj-2qfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25276","GHSA-4wfq-jc9h-vpcx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zymc-a812-1ua5"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.1"}