{"total":20,"page":1,"count":20,"advisories":[{"id":"a49fce47-a395-400f-b5bf-2a58182f91f2","num":87121,"source_id":"drupal","external_id":"3593385 at https://www.drupal.org","title":"Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009","summary":"Project: Drupal core Date: 2026-June-17 Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Improper validation Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55808 Description: The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use Drupal 10.6.x, update to Drupal 10.6.11 . If you use Drupal 10.5.x, update to Drupal 10.5.12 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: cantina_security Fixed By: Björn Brala (bbrala) Kim Pepper (kim.pepper) Lee Rowlands (larowlan) of the Drupal Security Team Coordinated By: Damien McKenna (damienmckenna) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2026-009","severity":"critical","cvss":null,"cves":["CVE-2026-55808"],"exploited":false,"has_exploit":false,"published_at":"2026-06-17T18:58:02+00:00"},{"id":"cc13d5cd-f165-47b3-8b4b-d3b45ce9e2ff","num":87122,"source_id":"drupal","external_id":"3593377 at https://www.drupal.org","title":"Drupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-008","summary":"Project: Drupal core Date: 2026-June-17 Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Server-side request forgery Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55807 Description: The Media module comes with support for oEmbed. The oEmbed specification contains two discovery mechanisms, via providers.json and via URL discovery. The URL discovery code could be leveraged to trick Drupal into making server-side requests to any URL. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use Drupal 10.6.x, update to Drupal 10.6.11 . If you use Drupal 10.5.x, update to Drupal 10.5.12 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Required site changes for URL discovery Most users of the oEmbed functionality in Drupal likely use providers.json to define known providers (such as YouTube and Vimeo) for embedding content. If you are using URL discovery, you now need to set a list of trusted oEmbed discovery hosts in settings.php . This is an array containing a series of regular expressions for matching host names for discovery. It follows the same pattern as the existing trusted hosts settings . Example: // Only allow URL discovery from example.com. $settings['media_oembed_discovery_trusted_host_patterns'] = [ '^example\\.com$', ]; Reported By: Hamed Kohi (0xhamy) assaf alassaf (ama62) Albert Skibinski (askibinski) Jon Minder (ayalon) Lautaro Casanova (betah4k) Gabe Sullice (gabesullice) John Morahan (john morahan) Michael Winser (michaelwinser) nbanderson offensive-ai Francesco Placella (plach) quynh ho (qquynh) Himanshu Anand (unknownhad) Fixed By: Lee Rowlands (larowlan) of the Drupal Security","link":"https://www.drupal.org/sa-core-2026-008","severity":"critical","cvss":null,"cves":["CVE-2026-55807"],"exploited":false,"has_exploit":false,"published_at":"2026-06-17T18:57:49+00:00"},{"id":"d6813d05-27e9-473a-9580-6fb62151e89e","num":87123,"source_id":"drupal","external_id":"3593110 at https://www.drupal.org","title":"Drupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-007","summary":"Project: Drupal core Date: 2026-June-17 Security risk: Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default Vulnerability: Cache poisoning and open redirect Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55806 Description: Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition. This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use Drupal 10.6.x, update to Drupal 10.6.11 . If you use Drupal 10.5.x, update to Drupal 10.5.12 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Melih Acikoz Michael Winser (michaelwinser) Willem Drupal enthousiast (willempje2) Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Coordinated By: catch (catch) of the Drupal Security Team cilefen (cilefen) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team James Gilliland (neclimdul) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2026-007","severity":"critical","cvss":null,"cves":["CVE-2026-55806"],"exploited":false,"has_exploit":false,"published_at":"2026-06-17T18:57:37+00:00"},{"id":"a0c4a0d9-c7f9-4eef-83dd-21b2094a2310","num":87124,"source_id":"drupal","external_id":"3594118 at https://www.drupal.org","title":"Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006","summary":"Project: Drupal core Date: 2026-June-17 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55804 Description: Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called \"gadget chain\" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use Drupal 10.6.x, update to Drupal 10.6.11 . If you use Drupal 10.5.x, update to Drupal 10.5.12 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Michael Maturi (michaelmaturi) Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mohit Aghera (mohit_aghera) Coordinated By: Anna Kalata (akalata) of the Drupal Security Team Benji Fisher (benjifisher) of the Drupal Security Team cilefen (cilefen) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2026-006","severity":"critical","cvss":null,"cves":["CVE-2026-55804"],"exploited":false,"has_exploit":false,"published_at":"2026-06-17T18:57:02+00:00"},{"id":"22e7d6eb-916c-4a64-8892-427bbe718c99","num":87125,"source_id":"drupal","external_id":"3593881 at https://www.drupal.org","title":"Drupal core - Critical - PHP object injection - SA-CORE-2026-005","summary":"Project: Drupal core Date: 2026-June-17 Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: PHP object injection Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55803 Description: SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection. This vulnerability is mitigated by the fact that in order to be exploitable: A site must use an entity reference field type that stores a serialized property. An attacker must have permission to write to the entity via JSON:API. No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules. JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access). Drupal Steward protection: This issue is being protected by Drupal Steward . In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use","link":"https://www.drupal.org/sa-core-2026-005","severity":"critical","cvss":null,"cves":["CVE-2026-55803"],"exploited":false,"has_exploit":false,"published_at":"2026-06-17T18:56:50+00:00"},{"id":"2787611d-5bbf-4738-ad66-c1ab8cf65ad9","num":87126,"source_id":"drupal","external_id":"3591142 at https://www.drupal.org","title":"Drupal core - Highly critical - SQL injection - SA-CORE-2026-004","summary":"Project: Drupal core Date: 2026-May-20 Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Uncommon Vulnerability: SQL injection Affected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10 CVE IDs: CVE-2026-9082 Description: Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL . However, the third-party dependency updates in these releases apply to all sites. Updates May 22 2026, 04:30 UTC: The risk score has been updated to reflect that exploit attempts are now being detected in the wild. Upstream security advisories The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities. Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not . It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules. Solution: Install the latest version. Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.10 . If you use Drupal 11.2.x, update to Drupal 11.2.12 . If you use Drupal 11.1.","link":"https://www.drupal.org/sa-core-2026-004","severity":"critical","cvss":null,"cves":["CVE-2026-9082"],"exploited":true,"has_exploit":true,"published_at":"2026-05-20T18:08:21+00:00"},{"id":"6c437282-35a6-40e1-b0a9-fb610c1a4486","num":87127,"source_id":"drupal","external_id":"3584598 at https://www.drupal.org","title":"Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003","summary":"Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting Affected versions: >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6367 Description: Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user. Solution: Install the latest version: If you use Drupal 11.3.x, update to Drupal 11.3.7 Drupal versions below 11.3 are not affected by this vulnerability Reported By: cantina_security Dries Buytaert (dries) Dmitrijs Trizna (dtrizna) Shirsendu Mondal Fixed By: Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mingsong (mingsong) , provisional member of the Drupal Security Team Coordinated By: Damien McKenna (damienmckenna) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Jess (xjm) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2026-003","severity":"critical","cvss":null,"cves":["CVE-2026-6367"],"exploited":false,"has_exploit":false,"published_at":"2026-04-15T19:27:21+00:00"},{"id":"7d1f28b9-33fc-4b6b-8b70-d801b085d3a1","num":87128,"source_id":"drupal","external_id":"3584666 at https://www.drupal.org","title":"Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002","summary":"Project: Drupal core Date: 2026-April-15 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget Chain Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6366 Description: Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called \"gadget chain\" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability. This issue is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. Solution: Install the latest version: If you use Drupal 10.5.x, update to Drupal 10.5.9 . If you use Drupal 10.6.x, update to Drupal 10.6.7 . If you use Drupal 11.2.x, update to Drupal 11.2.11 . If you use Drupal 11.3.x, update to Drupal 11.3.7 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Truong Le (hswww) menon t-chen Fixed By: Benji Fisher (benjifisher) of the Drupal Security Team cilefen (cilefen) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Ra Mänd (ram4nd) , provisional member of the Drupal Security Team Jess (xjm) of the Drupal Security Team Coordinated By: Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of th","link":"https://www.drupal.org/sa-core-2026-002","severity":"critical","cvss":null,"cves":["CVE-2026-6366"],"exploited":false,"has_exploit":false,"published_at":"2026-04-15T19:25:23+00:00"},{"id":"20b82630-7128-4e5e-a400-785563fbed11","num":87129,"source_id":"drupal","external_id":"3584021 at https://www.drupal.org","title":"Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001","summary":"Project: Drupal core Date: 2026-April-15 Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross-site scripting Affected versions: >= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7 CVE IDs: CVE-2026-6365 Description: Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting (XSS) vulnerability. Solution: Install the latest version: If you use Drupal 10.5.x, update to Drupal 10.5.9 . If you use Drupal 10.6.x, update to Drupal 10.6.7 . If you use Drupal 11.2.x, update to Drupal 11.2.11 . If you use Drupal 11.3.x, update to Drupal 11.3.7 . Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Murat Kekiç (murat_kekic) Fixed By: Anna Kalata (akalata) of the Drupal Security Team Benji Fisher (benjifisher) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Michael Hess (mlhess) of the Drupal Security Team James Gilliland (neclimdul) of the Drupal Security Team Joseph Zhao (pandaski) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Ra Mänd (ram4nd) , provisional member of the Drupal Security Team Jess (xjm) of the Drupal Security Team Coordinated By: Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Pierre Rudloff (prudloff) of the Drupal Security Team Jess (xjm) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2026-001","severity":"critical","cvss":null,"cves":["CVE-2026-6365"],"exploited":false,"has_exploit":false,"published_at":"2026-04-15T19:24:30+00:00"},{"id":"1a1c60c4-a30f-4b58-b8f4-12404ac24988","num":87130,"source_id":"drupal","external_id":"3557473 at https://www.drupal.org","title":"Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008","summary":"Project: Drupal core Date: 2025-November-12 Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Information disclosure Affected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8 CVE IDs: CVE-2025-13083 Description: The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN. This vulnerability is mitigated by the following: Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme. An attacker must know to request a file that has previously been requested by a more-privileged user, and that file must still be cached. Solution: Install the latest version: If you are using Drupal 10.4, update to Drupal 10.4.9 . If you are using Drupal 10.5, update to Drupal 10.5.6 . If you are using Drupal 11.1, update to Drupal 11.1.9 . If you are using Drupal 11.2, update to Drupal 11.2.8 . Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Damien McKenna (damienmckenna) of the Drupal Security Team tame4tex Fixed By: Benji Fisher (benjifisher) of the Drupal Security Team catch (catch) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Mingsong (mingsong) , provisional member of the Drupal Security Team Mohit Aghera (mohit_aghera) James Gilliland (neclimdul) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Te","link":"https://www.drupal.org/sa-core-2025-008","severity":"critical","cvss":null,"cves":["CVE-2025-13083"],"exploited":false,"has_exploit":false,"published_at":"2025-11-12T20:16:22+00:00"},{"id":"4582d7ab-a417-46ab-80c9-3b884eadf9e5","num":87131,"source_id":"drupal","external_id":"3527346 at https://www.drupal.org","title":"Drupal core - Moderately critical - Defacement - SA-CORE-2025-007","summary":"Project: Drupal core Date: 2025-November-12 Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All Vulnerability: Defacement Affected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8 CVE IDs: CVE-2025-13082 Description: By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered. Solution: Install the latest version: If you are using Drupal 10.4, update to Drupal 10.4.9 . If you are using Drupal 10.5, update to Drupal 10.5.6 . If you are using Drupal 11.1, update to Drupal 11.1.9 . If you are using Drupal 11.2, update to Drupal 11.2.8 . Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Kevin Quillen (kevinquillen) Fixed By: Benji Fisher (benjifisher) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Mingsong (mingsong) , provisional member of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Ra Mänd (ram4nd) , provisional member of the Drupal Security Team Jess (xjm) of the Drupal Security Team Coordinated By: catch (catch) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2025-007","severity":"critical","cvss":null,"cves":["CVE-2025-13082"],"exploited":false,"has_exploit":false,"published_at":"2025-11-12T20:16:21+00:00"},{"id":"4a28d6a3-9ecf-4264-b7d9-b4d7b47b4d13","num":87132,"source_id":"drupal","external_id":"3557475 at https://www.drupal.org","title":"Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006","summary":"Project: Drupal core Date: 2025-November-12 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8 CVE IDs: CVE-2025-13081 Description: Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called \"gadget chain\" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. Solution: Install the latest version: If you are using Drupal 10.4, update to Drupal 10.4.9 . If you are using Drupal 10.5, update to Drupal 10.5.6 . If you are using Drupal 11.1, update to Drupal 11.1.9 . If you are using Drupal 11.2, update to Drupal 11.2.8 . Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: anzuukino Fixed By: Anna Kalata (akalata) , provisional member of the Drupal Security Team catch (catch) of the Drupal Security Team Neil Drumm (drumm) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Ra Mänd (ram4nd) , provisional member of the Drupal Security Team Jess (xjm) of the Drupal Security Team Coordinated By: catch (catch) of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of t","link":"https://www.drupal.org/sa-core-2025-006","severity":"critical","cvss":null,"cves":["CVE-2025-13081"],"exploited":false,"has_exploit":false,"published_at":"2025-11-12T18:34:02+00:00"},{"id":"de1e7559-a579-4049-8394-0842f50b6d1b","num":87133,"source_id":"drupal","external_id":"3557474 at https://www.drupal.org","title":"Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005","summary":"Project: Drupal core Date: 2025-November-12 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All Vulnerability: Denial of Service Affected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8 CVE IDs: CVE-2025-13080 Description: Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning). This could be exploited in various ways: Broken rendering of some pages Unstyled or malformatted pages Adverse impacts on client-side functionality Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability. The authors of the underlying library do not believe it is a source of vulnerabilities in other systems. Drupal's use of library leads to an implementation-specific vulnerability, so we've issued this advisory and reserved a CVE ID for the vulnerability in Drupal. Solution: Install the latest version: If you are using Drupal 10.4, update to Drupal 10.4.9 . If you are using Drupal 10.5, update to Drupal 10.5.6 . If you are using Drupal 11.1, update to Drupal 11.1.9 . If you are using Drupal 11.2, update to Drupal 11.2.8 . Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Dragos Dumitrescu (dragos-dumi) yasser ALLAM (inzo_) Nils Destoop (nils.destoop) Sven Decabooter (svendecabooter) zhero Fixed By: Alex Pott (alexpott) of the Drupal Security Team catch (catch) of the Drupal Security Team cilefen (cilefen) of the Drupal Security Team Jen Lampton (jenlampton) , provisional member of the Dru","link":"https://www.drupal.org/sa-core-2025-005","severity":"critical","cvss":null,"cves":["CVE-2025-13080"],"exploited":false,"has_exploit":false,"published_at":"2025-11-12T18:33:05+00:00"},{"id":"66353430-14f7-48af-8296-eb1ec5e41772","num":87134,"source_id":"drupal","external_id":"3514078 at https://www.drupal.org","title":"Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004","summary":"Project: Drupal core Date: 2025-March-19 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross Site Scripting Affected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5 CVE IDs: CVE-2025-31675 Description: Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS). This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module. Sites with the Link module disabled or that do not use any link fields are not affected. Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.14 If you use Drupal 10.4.x, update to Drupal 10.4.5 If you use Drupal 11.0.x, update to Drupal 11.0.13 If you use Drupal 11.1.x, update to Drupal 11.1.5 All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team. Reported By: Samuel Mortenson (samuel.mortenson) Fixed By: Anna Kalata (akalata) , provisional member of the Drupal Security Team Alex Pott (alexpott) of the Drupal Security Team Benji Fisher (benjifisher) of the Drupal Security Team Bram Driesen (bramdriesen) , provisional member of the Drupal Security Team catch (catch) of the Drupal Security Team Alex Bronstein (effulgentsia) of the Drupal Security Team Jen Lampton (jenlampton) , provisional member of the Drupal Security Team Lee Rowlands (larowlan) of the Drupal Security Team Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Joseph Zhao (pandaski) , provisional member of the Drupal Security Team Adam G-H (phenaproxima) Samuel Mortenson (samuel.mortenson) Jess (xjm) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2025-004","severity":"critical","cvss":null,"cves":["CVE-2025-31675"],"exploited":false,"has_exploit":false,"published_at":"2025-03-19T18:54:35+00:00"},{"id":"c57c5e65-b34d-475a-acee-7ed3e73b12ad","num":87135,"source_id":"drupal","external_id":"3507831 at https://www.drupal.org","title":"Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003","summary":"Project: Drupal core Date: 2025-February-19 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget Chain Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 CVE IDs: CVE-2025-31674 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.13 If you use Drupal 10.4.x, update to Drupal 10.4.3 If you use Drupal 11.0.x, update to Drupal 11.0.12 If you use Drupal 11.1.x, update to Drupal 11.1.3 All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: anzuukino shin24 Fixed By: ghost of drupal past Dave Long (longwave) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team nicxvan shin24","link":"https://www.drupal.org/sa-core-2025-003","severity":"critical","cvss":null,"cves":["CVE-2025-31674"],"exploited":false,"has_exploit":false,"published_at":"2025-02-19T17:03:28+00:00"},{"id":"718418fb-f4b7-471e-a0ec-27e0eea66b18","num":87136,"source_id":"drupal","external_id":"3507828 at https://www.drupal.org","title":"Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002","summary":"Project: Drupal core Date: 2025-February-19 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 CVE IDs: CVE-2025-31673 Description: Bulk operations allow authorized users to modify several nodes at once from the Content page ( /admin/content ). A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes. This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes. In particular, the bulk operations Make content sticky Make content unsticky Promote content to front page Publish content Remove content from front page Unpublish content now require the \"Administer content\" permission. Solution: Install the latest version: If you are using Drupal 10.3, update to Drupal 10.3.13 . If you are using Drupal 10.4, update to Drupal 10.4.3 . If you are using Drupal 11.0, update to Drupal 11.0.12 . If you are using Drupal 11.1, update to Drupal 11.1.3 . All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: jeff cardwell Fixed By: Benji Fisher (benjifisher) of the Drupal Security Team jeff cardwell Mingsong (mingsong) Provisional Member of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2025-002","severity":"critical","cvss":null,"cves":["CVE-2025-31673"],"exploited":false,"has_exploit":false,"published_at":"2025-02-19T16:58:10+00:00"},{"id":"577cbe9b-1cc7-481e-b589-69d517dc3ba7","num":87137,"source_id":"drupal","external_id":"3507825 at https://www.drupal.org","title":"Drupal core - Critical - Cross site scripting - SA-CORE-2025-001","summary":"Project: Drupal core Date: 2025-February-19 Security risk: Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Cross site scripting Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 CVE IDs: CVE-2025-3057 Description: Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS). Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This issue is being protected by Drupal Steward . Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future. Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.13 If you use Drupal 10.4.x, update to Drupal 10.4.3 If you use Drupal 11.0.x, update to Drupal 11.0.12 If you use Drupal 11.1.x, update to Drupal 11.1.3 All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Arne (arkepp) bdanin Douglas Groene (dgroene) Dragos Dumitrescu (dragos-dumi) Flo Kosiol (flokosiol) Gerardo Cadau (juanramonperez) Justin Christoffersen (larsdesigns) nuwans Sven Decabooter (svendecabooter) Will Gunn (wgunn_e) Fixed By: catch (catch) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2025-001","severity":"critical","cvss":null,"cves":["CVE-2025-3057"],"exploited":false,"has_exploit":false,"published_at":"2025-02-19T16:49:28+00:00"},{"id":"d447e63f-4560-4812-a4ce-416f043a19e0","num":87138,"source_id":"drupal","external_id":"3488717 at https://www.drupal.org","title":"Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008","summary":"Project: Drupal core Date: 2024-November-20 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >=7.0 < 7.102 || >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 CVE IDs: CVE-2024-55638 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. Solution: Install the latest version: If you are using Drupal 7, update to Drupal 7.102 . If you are using Drupal 10.2, update to Drupal 10.2.11 . If you are using Drupal 10.3, update to Drupal 10.3.9 . All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Drew Webber of the Drupal Security Team Fixed By: Drew Webber of the Drupal Security Team Fabian Franz Juraj Nemec of the Drupal Security Team Lee Rowlands of the Drupal Security Team Dave Long of the Drupal Security Team Alex Pott of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2024-008","severity":"critical","cvss":null,"cves":["CVE-2024-55638"],"exploited":false,"has_exploit":false,"published_at":"2024-11-20T17:29:59+00:00"},{"id":"06c34551-83bd-45fe-99ab-a43dd2d69abc","num":87139,"source_id":"drupal","external_id":"3488713 at https://www.drupal.org","title":"Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007","summary":"Project: Drupal core Date: 2024-November-20 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 CVE IDs: CVE-2024-55637 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError . Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Drew Webber of the Drupal Security Team Fixed By: Drew Webber of the Drupal Security Team Lee Rowlands of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Greg Knaddison of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2024-007","severity":"critical","cvss":null,"cves":["CVE-2024-55637"],"exploited":false,"has_exploit":false,"published_at":"2024-11-20T17:27:28+00:00"},{"id":"6e7c74be-866b-4f67-bcd5-7f25970866d7","num":87140,"source_id":"drupal","external_id":"3488712 at https://www.drupal.org","title":"Drupal core - Less critical - Gadget chain - SA-CORE-2024-006","summary":"Project: Drupal core Date: 2024-November-20 Security risk: Less critical 8 ∕ 25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 CVE IDs: CVE-2024-55636 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError . Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. ( Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Drew Webber of the Drupal Security Team Fixed By: Drew Webber of the Drupal Security Team Lee Rowlands of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team","link":"https://www.drupal.org/sa-core-2024-006","severity":"critical","cvss":null,"cves":["CVE-2024-55636"],"exploited":false,"has_exploit":false,"published_at":"2024-11-20T17:25:47+00:00"}]}