Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Drupal Number Of NVD 249 CRITICAL 12 HIGH 57 MEDIUM 158 LOW 22
URL https://www.drupal.org/
Explanation Drupal is an open source Content Management System (CMS).
Compared to WordPress and Joomla, it is said to be faster in displaying pages.
Tag
  • GPL v3
  • オープンソース
  • GPL v2
Add Information URL
No Type Name URL
1 https://www.drupal.org/download
2 https://www.drupal.org/project/drupal/releases
3 https://github.com/drupal/drupal
4 https://www.drupal.org/about/drupal6-eol
5 https://www.drupal.org/blog/drupal-7-8-and-9
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
211 Drupal 10 10.6.0-beta1 Nov. 25, 2025 Dec. 15, 2022 1 1 1 0
212 Drupal 9 9.5.11 Sept. 20, 2023 June 3, 2020 3 20 19 0
213 Drupal 8 8.9.20 Nov. 17, 2021 June 3, 2020 Nov. 30, 2021 11 29 35 0
214 Drupal 7 7.103 Dec. 4, 2024 Jan. 5, 2011 Nov. 30, 2021 4 18 64 7
215 Drupal 6 6.38 Feb. 24, 2016 Feb. 13, 2008 Feb. 24, 2016 2 10 57 13
216 Drupal 5 5.23 Aug. 11, 2010 Jan. 15, 2007 Jan. 6, 2011 1 5 39 7
217 Drupal 4 4.7.11 Jan. 10, 2008 June 15, 2002 Jan. 1, 1900 1 7 33 6
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
211 -
7.5 		HIGH Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonom… CWE-20
CWE-89
 Improper Input Validation 
SQL Injection 		CVE-2007-6299 cpe:2.3:a:drupal:drupal:5.2:*
cpe:2.3:a:drupal:drupal:5.1_rev1.1:*
cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:dru… 		2026-04-23 09:35
2007-12-11 		Show GitHub Exploit DB Packet Storm
212 -
3.5 		LOW Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, No… CWE-79
Cross-site Scripting 		CVE-2007-5621 cpe:2.3:a:drupal:drupal:5.2:*
cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:*
cpe:2.3:a:drupal:dru… 		2026-04-23 09:35
2007-10-23 		Show GitHub Exploit DB Packet Storm
213 -
6.8 		MEDIUM install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified. CWE-94
Code Injection 		CVE-2007-5593 cpe:2.3:a:drupal:drupal:*:* 5.0 5.3 2026-04-23 09:35
2007-10-20 		Show GitHub Exploit DB Packet Storm
214 -
4.3 		MEDIUM Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. CWE-352
 Origin Validation Error 		CVE-2007-5594 cpe:2.3:a:drupal:drupal:*:* 5.0 5.3 2026-04-23 09:35
2007-10-20 		Show GitHub Exploit DB Packet Storm
215 -
5.1 		MEDIUM CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP … CWE-113
HTTP Response Splitting 		CVE-2007-5595 cpe:2.3:a:drupal:drupal:*:* 4.7.0
5.0

4.7.8
5.3 		2026-04-23 09:35
2007-10-20 		Show GitHub Exploit DB Packet Storm
216 -
4.3 		MEDIUM The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by upload… CWE-79
Cross-site Scripting 		CVE-2007-5596 cpe:2.3:a:drupal:drupal:*:* 4.7.0
5.0

4.7.8
5.3 		2026-04-23 09:35
2007-10-20 		Show GitHub Exploit DB Packet Storm
217 -
4.3 		MEDIUM The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished c… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2007-5597 cpe:2.3:a:drupal:drupal:*:* 4.7.0
5.0

4.7.8
5.3 		2026-04-23 09:35
2007-10-20 		Show GitHub Exploit DB Packet Storm
218 -
6.8 		MEDIUM Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers t… CWE-189
Numeric Errors 		CVE-2007-5416 cpe:2.3:a:drupal:drupal:*:* 5.2 2026-04-23 09:35
2007-10-13 		Show GitHub Exploit DB Packet Storm
219 -
4.3 		MEDIUM Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileg… NVD-CWE-Other
CVE-2007-4063 cpe:2.3:a:drupal:drupal:5.1_rev1.1:*
cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:* 		2026-04-23 09:35
2007-07-31 		Show GitHub Exploit DB Packet Storm
220 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via "some server variables," in… CWE-79
Cross-site Scripting 		CVE-2007-4064 cpe:2.3:a:drupal:drupal:5.1:*
cpe:2.3:a:drupal:drupal:5.0:*
cpe:2.3:a:drupal:drupal:4.7_rev1.15:*
cpe:2.3:a:dr… 		2026-04-23 09:35
2007-07-31 		Show GitHub Exploit DB Packet Storm