Vulnerabilities > Drupal > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-11 | CVE-2020-13675 | Unrestricted Upload of File with Dangerous Type vulnerability in Drupal Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. | 9.8 |
| 2021-05-05 | CVE-2020-13665 | Unspecified vulnerability in Drupal Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. | 9.8 |
| 2020-12-17 | CVE-2020-35191 | Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine/8.3.1Fpmalpine/8.5.10Fpmalpine The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. | 9.8 |
| 2020-05-28 | CVE-2019-6342 | Unspecified vulnerability in Drupal 8.7.4 An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. | 9.8 |
| 2020-01-14 | CVE-2011-2715 | SQL Injection vulnerability in Drupal Data and Drupal An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | 9.8 |
| 2019-12-16 | CVE-2019-19826 | Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. | 9.8 |
| 2019-05-16 | CVE-2019-10910 | SQL Injection vulnerability in multiple products In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. | 9.8 |
| 2019-05-09 | CVE-2019-11831 | Deserialization of Untrusted Data vulnerability in multiple products The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | 9.8 |
| 2019-01-22 | CVE-2019-6339 | Improper Input Validation vulnerability in multiple products In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. | 9.8 |
| 2019-01-15 | CVE-2017-6925 | Unspecified vulnerability in Drupal In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. | 9.8 |