Security advisories for Drupal core | Drupal.org

Security advisories for Drupal core | Drupal.org
Skip to search
Can we use first and third party cookies and web beacons to
understand our audience, and to tailor promotions you see
Security advisories for Drupal core
Show advisories for
only contributed projects
only
PSAs
, or
all security advisories
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Date:
2026-April-15
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs:
CVE-2026-6367
Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5.
The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user.
about Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Date:
2026-April-15
Security risk:
Moderately critical
14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs:
CVE-2026-6366
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.
This issue is not directly exploitable.
about Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Date:
2026-April-15
Security risk:
Critical
15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs:
CVE-2026-6365
Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which which can lead to a cross-site scripting (XSS) vulnerability.
about Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
Date:
2025-November-12
Security risk:
Moderately critical
10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs:
CVE-2025-13083
The core
system
module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the
system
module.
In some cases, files may be served with the HTTP header
Cache-Control: public
when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.
about Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
Date:
2025-November-12
Security risk:
Moderately critical
10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs:
CVE-2025-13082
By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.
The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.
about Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Date:
2025-November-12
Security risk:
Moderately critical
14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs:
CVE-2025-13081
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
It is not directly exploitable.
about Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Date:
2025-November-12
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs:
CVE-2025-13080
Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.
This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).
This could be exploited in various ways:
about Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Date:
2025-March-19
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs:
CVE-2025-31675
Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
about Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
Date:
2025-February-19
Security risk:
Moderately critical
14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs:
CVE-2025-31674
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to
unserialize()
. There are no such known exploits in Drupal core.
about Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
Date:
2025-February-19
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs:
CVE-2025-31673
Bulk operations allow authorized users to modify several nodes at once from the Content page (
/admin/content
). A site builder can also add bulk operations to other pages using Views.
A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.
This vulnerability is mitigated by the fact that an attacker must have permission to access
/admin/content
or other, custom views and to edit nodes.
about Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
Pages
next ›
last »
Subscribe with RSS
In addition to the
news page and sub-tabs
, all security announcements are posted to an email list. To subscribe to email: log in, go to
your user profile page
and subscribe to the security newsletter on the
Edit » My newsletters
tab.
You can also get rss feeds for
core
contrib
, or
public service announcements
or follow
drupalsecurity@drupal.community
on Mastodon or
@drupalsecurity on Bluesky
Contacting the Security team
In order to report a security issue, or to learn more about the security team, please see the
Security team
handbook page.
Writing secure code
If you are a Drupal developer, please read the handbook section on
Writing secure code
News items
News
Planet Drupal
Social media
Sign up for Drupal news
Security advisories
Jobs
Our community
Community
Services
Training
Hosting
Contributor guide
Groups & meetups
DrupalCon
Code of conduct
Documentation
Documentation
Drupal Guide
Drupal User Guide
Developer docs
API.Drupal.org
Drupal code base
Download & Extend
Drupal core
Modules
Themes
Distributions
Governance of community
About
Web accessibility
Drupal Association
About Drupal.org
Drupal is a
registered trademark
of
Dries Buytaert