Search for vulnerabilities
| Vulnerability ID | VCID-hfqh-9xt2-5ufj |
| Aliases |
GHSA-6mgp-v5cm-ghg5
|
| Summary | Drupal core Remote Code Execution In Drupal core, when sending email some variables were not being sanitized for shell arguments in `DefaultMailSystem::mail()`, which could lead to remote code execution. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 9.0 |
| Risk | 4.5 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | CRITICAL | https://github.com/advisories/GHSA-6mgp-v5cm-ghg5 |
| generic_textual | CRITICAL | https://github.com/drupal/core |
| generic_textual | CRITICAL | https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-4.yaml |
| generic_textual | CRITICAL | https://www.drupal.org/sa-core-2018-006 |
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/drupal/core | ||
| https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-4.yaml | ||
| https://www.drupal.org/sa-core-2018-006 | ||
| GHSA-6mgp-v5cm-ghg5 | https://github.com/advisories/GHSA-6mgp-v5cm-ghg5 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2025-07-31T08:35:32.550560+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-6mgp-v5cm-ghg5/GHSA-6mgp-v5cm-ghg5.json | 37.0.0 |