Vulnerabilities > Drupal > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-02-11 CVE-2020-13675 Unrestricted Upload of File with Dangerous Type vulnerability in Drupal
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs.
network
low complexity
drupal CWE-434
critical
9.8
2021-05-05 CVE-2020-13665 Unspecified vulnerability in Drupal
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode.
network
low complexity
drupal
critical
9.8
2020-12-17 CVE-2020-35191 Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine/8.3.1Fpmalpine/8.5.10Fpmalpine
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
drupal CWE-306
critical
9.8
2020-05-28 CVE-2019-6342 Unspecified vulnerability in Drupal 8.7.4
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled.
network
low complexity
drupal
critical
9.8
2020-01-14 CVE-2011-2715 SQL Injection vulnerability in Drupal Data and Drupal
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
network
low complexity
drupal CWE-89
critical
9.8
2019-12-16 CVE-2019-19826 Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion.
network
low complexity
drupal CWE-502
critical
9.8
2019-05-16 CVE-2019-10910 SQL Injection vulnerability in multiple products
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution.
network
low complexity
sensiolabs drupal CWE-89
critical
9.8
2019-05-09 CVE-2019-11831 Deserialization of Untrusted Data vulnerability in multiple products
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
network
low complexity
typo3 debian fedoraproject drupal joomla CWE-502
critical
9.8
2019-01-22 CVE-2019-6339 Improper Input Validation vulnerability in multiple products
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.
network
low complexity
drupal debian CWE-20
critical
9.8
2019-01-15 CVE-2017-6925 Unspecified vulnerability in Drupal
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities.
network
low complexity
drupal
critical
9.8