Search for vulnerabilities
| Vulnerability ID | VCID-yr92-jf5d-67bp |
| Aliases |
GHSA-jf8c-36vw-98x4
|
| Summary | Drupal core Remote Code Execution In Drupal core, when sending email some variables were not being sanitized for shell arguments in `DefaultMailSystem::mail()`, which could lead to remote code execution. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 9.0 |
| Risk | 4.5 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | CRITICAL | https://github.com/advisories/GHSA-jf8c-36vw-98x4 |
| generic_textual | CRITICAL | https://github.com/drupal/drupal |
| generic_textual | CRITICAL | https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml |
| generic_textual | CRITICAL | https://www.drupal.org/sa-core-2018-006 |
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/drupal/drupal | ||
| https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml | ||
| https://www.drupal.org/sa-core-2018-006 | ||
| GHSA-jf8c-36vw-98x4 | https://github.com/advisories/GHSA-jf8c-36vw-98x4 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2025-07-31T08:35:14.387497+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jf8c-36vw-98x4/GHSA-jf8c-36vw-98x4.json | 37.0.0 |