Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-13688

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-11 Jun, 2021 | 15:08
Updated At-04 Aug, 2024 | 12:25
Rejected At-
Credits

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:11 Jun, 2021 | 15:08
Updated At:04 Aug, 2024 | 12:25
Rejected At:
â–¼CVE Numbering Authority (CNA)

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Drupal Core
Versions
Affected
  • From 8.8.X before 8.8.10 (custom)
  • From 8.9.X before 8.9.6 (custom)
  • From 9.0.X before 9.0.6 (custom)
Problem Types
TypeCWE IDDescription
textN/ACross-site scripting
Type: text
CWE ID: N/A
Description: Cross-site scripting
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-core-2020-009
x_refsource_CONFIRM
Hyperlink: https://www.drupal.org/sa-core-2020-009
Resource:
x_refsource_CONFIRM
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-core-2020-009
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.drupal.org/sa-core-2020-009
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:11 Jun, 2021 | 15:15
Updated At:21 Jun, 2021 | 18:06

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CPE Matches
The Drupal Association
drupal
>>drupal>>Versions from 8.8.0(inclusive) to 8.8.10(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>Versions from 8.9.0(inclusive) to 8.9.6(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>drupal>>Versions from 9.0.0(inclusive) to 9.0.6(exclusive)
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.drupal.org/sa-core-2020-009mlhess@drupal.org
Patch
Vendor Advisory
Hyperlink: https://www.drupal.org/sa-core-2020-009
Source: mlhess@drupal.org
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

19252Records found
CVE-2008-1133
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 64.86%
||
7 Day CHG~0.00%
Published-04 Mar, 2008 | 18:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6533
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.38% / 60.07%
||
7 Day CHG~0.00%
Published-26 Mar, 2009 | 20:28
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-7150
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 46.21%
||
7 Day CHG~0.00%
Published-01 Sep, 2009 | 16:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Refine by Taxonomy 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a taxonomy term, which is not properly handled by refine_by_taxo when displaying tags.

Action-Not Available
Vendor-ber_kesselsn/aThe Drupal Association
Product-drupalrefine_by_taxon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-48922
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.99%
||
7 Day CHG~0.00%
Published-26 Jun, 2025 | 13:32
Updated-09 Jul, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GLightbox allows Cross-Site Scripting (XSS).This issue affects GLightbox: from 0.0.0 before 1.0.16.

Action-Not Available
Vendor-levmyshkinThe Drupal Association
Product-glightboxGLightbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-7571
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 60.59%
||
7 Day CHG~0.00%
Published-03 Oct, 2016 | 18:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-47702
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.99%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:01
Updated-10 Jun, 2025 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).This issue affects oEmbed Providers: from 0.0.0 before 2.2.2.

Action-Not Available
Vendor-oembed_providers_projectThe Drupal Association
Product-oembed_providersoEmbed Providers
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-47705
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 21.70%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:02
Updated-10 Feb, 2026 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).This issue affects IFrame Remove Filter: from 2.0.0 before 2.0.5, from 7.X-1.0 through 7.X-1.5, from 1.0 through 1.2.

Action-Not Available
Vendor-iframe_remove_filter_projectThe Drupal Association
Product-iframe_remove_filterIFrame Remove Filter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3902
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.31% / 54.80%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 17:08
Updated-17 Jun, 2025 | 00:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).This issue affects Block Class: from 4.0.0 before 4.0.1.

Action-Not Available
Vendor-four_kitchensThe Drupal Association
Product-block_classBlock Class
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6275
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 58.46%
||
7 Day CHG~0.00%
Published-25 Feb, 2009 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified messages.

Action-Not Available
Vendor-n/aJoomla!The Drupal Association
Product-user_karma_modulejoomla\!n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3900
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.22% / 44.47%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 17:07
Updated-20 Jun, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS).This issue affects Colorbox: from 0.0.0 before 2.1.3.

Action-Not Available
Vendor-colorbox_projectThe Drupal Association
Product-colorboxColorbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6413
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 55.47%
||
7 Day CHG~0.00%
Published-06 Mar, 2009 | 11:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question.

Action-Not Available
Vendor-ticklespacen/aThe Drupal Association
Product-answers_moduledrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-2349
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.04% / 12.91%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:21
Updated-31 Mar, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal UI Icons allows Cross-Site Scripting (XSS).This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1.

Action-Not Available
Vendor-beyrisThe Drupal Association
Product-ui_iconsUI Icons
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-6135
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.42%
||
7 Day CHG~0.00%
Published-14 Feb, 2009 | 02:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaleveryblogn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4596
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 55.75%
||
7 Day CHG~0.00%
Published-17 Oct, 2008 | 21:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Shindig-Integrator 5.x, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in generated pages.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-shindig-integratorn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4710
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 46.21%
||
7 Day CHG~0.00%
Published-23 Oct, 2008 | 17:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupalstock_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4149
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 65.40%
||
7 Day CHG~0.00%
Published-19 Sep, 2008 | 18:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-link_to_usn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-3500
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 56.39%
||
7 Day CHG~0.00%
Published-06 Aug, 2008 | 18:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Suggested Terms module 5.x before 5.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via crafted Taxonomy terms.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-suggested_terms_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-4147
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 56.39%
||
7 Day CHG~0.00%
Published-19 Sep, 2008 | 18:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-mailsaven/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-2773
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.42%
||
7 Day CHG~0.00%
Published-18 Jun, 2008 | 22:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Taxonomy Image module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-taxonomy_image_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-2998
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 48.57%
||
7 Day CHG~0.00%
Published-03 Jul, 2008 | 17:47
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupalaggregation_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-3219
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.87% / 75.63%
||
7 Day CHG~0.00%
Published-18 Jul, 2008 | 16:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Action-Not Available
Vendor-n/aThe Drupal AssociationFedora Project
Product-drupalfedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-3218
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.92% / 76.56%
||
7 Day CHG~0.00%
Published-18 Jul, 2008 | 16:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

Action-Not Available
Vendor-n/aThe Drupal AssociationFedora Project
Product-drupalfedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1916
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 55.97%
||
7 Day CHG~0.00%
Published-22 Apr, 2008 | 00:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-rc1 module for Drupal allow remote attackers to inject arbitrary web script or HTML via text fields intended for the (1) address and (2) order information, which are later displayed on the order view page and unspecified other administrative pages, a different vulnerability than CVE-2008-1428.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-ubercart_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1428
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 51.68%
||
7 Day CHG~0.00%
Published-20 Mar, 2008 | 18:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-beta7 module for Drupal allow remote attackers to inject arbitrary web script or HTML via a text attribute value for a product.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-ubercart_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1980
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.42%
||
7 Day CHG~0.00%
Published-27 Apr, 2008 | 20:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupale-publishn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1792
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 55.47%
||
7 Day CHG~0.00%
Published-15 Apr, 2008 | 17:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-drupalrn/aThe Drupal Association
Product-drupalflickrn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-1794
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 58.46%
||
7 Day CHG~0.00%
Published-15 Apr, 2008 | 17:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the Webform Drupal module 5.x before 5.x-1.10, 5.x-2.x before 5.x-2.0-beta3, and 6.x before 6.x-1.0-beta3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-webform_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31697
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 60.36%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:55
Updated-02 Sep, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Formatter Suite allows Cross-Site Scripting (XSS).This issue affects Formatter Suite: from 0.0.0 before 2.1.0.

Action-Not Available
Vendor-formatter_suite_projectThe Drupal Association
Product-formatter_suiteFormatter Suite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0273
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.56% / 68.95%
||
7 Day CHG~0.00%
Published-15 Jan, 2008 | 19:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0463
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 58.07%
||
7 Day CHG~0.00%
Published-25 Jan, 2008 | 15:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-workflown/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31696
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.39% / 60.36%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:55
Updated-02 Sep, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal RapiDoc OAS Field Formatter allows Cross-Site Scripting (XSS).This issue affects RapiDoc OAS Field Formatter: from 0.0.0 before 1.0.1.

Action-Not Available
Vendor-chapterthreeThe Drupal Association
Product-rapidoc_oas_field_formatterRapiDoc OAS Field Formatter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0576
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 55.97%
||
7 Day CHG~0.00%
Published-05 Feb, 2008 | 01:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors that write to summary table pages.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-project_issue_tracking_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0276
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 46.04%
||
7 Day CHG~0.00%
Published-15 Jan, 2008 | 19:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31687
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 58.37%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:44
Updated-28 Aug, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SpamSpan filter allows Cross-Site Scripting (XSS).This issue affects SpamSpan filter: from 0.0.0 before 3.2.1.

Action-Not Available
Vendor-drowlThe Drupal Association
Product-spamspan_filterSpamSpan filter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2008-0462
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 56.40%
||
7 Day CHG~0.00%
Published-25 Jan, 2008 | 15:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupalarchive_modulen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31679
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.55% / 68.55%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:38
Updated-04 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site Scripting (XSS).This issue affects Ignition Error Pages: from 0.0.0 before 1.0.4.

Action-Not Available
Vendor-ignition_error_pages_projectThe Drupal Association
Product-ignition_error_pagesIgnition Error Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31695
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 67.53%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:52
Updated-02 Sep, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Link field display mode formatter allows Cross-Site Scripting (XSS).This issue affects Link field display mode formatter: from 0.0.0 before 1.6.0.

Action-Not Available
Vendor-upstreamableThe Drupal Association
Product-link_field_display_mode_formatterLink field display mode formatter
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3057
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 61.61%
||
7 Day CHG~0.00%
Published-31 Mar, 2025 | 21:33
Updated-15 Apr, 2025 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-5596
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.60% / 70.03%
||
7 Day CHG+0.02%
Published-19 Oct, 2007 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-55635
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.84% / 75.22%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 23:23
Updated-02 Jun, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-47704
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.99%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:02
Updated-10 Jun, 2025 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.5.

Action-Not Available
Vendor-klaro_cookie_\&_consent_management_projectThe Drupal Association
Product-klaro_cookie_\&_consent_managementKlaro Cookie & Consent Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2007-0136
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.74% / 73.38%
||
7 Day CHG~0.00%
Published-09 Jan, 2007 | 11:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12848
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-7||HIGH
EPSS-0.02% / 5.14%
||
7 Day CHG~0.00%
Published-26 Nov, 2025 | 01:28
Updated-26 Mar, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS vulnerability when rendering filename in Webform Multiform

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.

Action-Not Available
Vendor-webform_multiple_file_upload_projectThe Drupal Association
Product-webform_multiple_file_uploadDrupal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-1905
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 65.02%
||
7 Day CHG~0.00%
Published-20 Jun, 2013 | 23:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Zero Point theme 7.x-1.x before 7.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-catalin_florian_radutn/aThe Drupal Association
Product-zeropointdrupaln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33829
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-65.53% / 98.52%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 11:51
Updated-03 Aug, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

Action-Not Available
Vendor-ckeditorn/aDebian GNU/LinuxFedora ProjectThe Drupal Association
Product-ckeditordrupaldebian_linuxfedoran/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-6929
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.60% / 70.15%
||
7 Day CHG~0.00%
Published-01 Mar, 2018 | 22:00
Updated-16 Sep, 2024 | 23:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Action-Not Available
Vendor-Debian GNU/LinuxThe Drupal Association
Product-debian_linuxdrupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-6927
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-1.39% / 80.83%
||
7 Day CHG~0.00%
Published-01 Mar, 2018 | 22:00
Updated-17 Sep, 2024 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

Action-Not Available
Vendor-Debian GNU/LinuxThe Drupal Association
Product-debian_linuxdrupalDrupal Core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2012-1647
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.67% / 71.92%
||
7 Day CHG~0.00%
Published-28 Aug, 2012 | 16:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION.

Action-Not Available
Vendor-mediafrontn/aThe Drupal Association
Product-drupalmediafrontn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13283
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 48.32%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 19:36
Updated-02 Sep, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.9.

Action-Not Available
Vendor-facets_projectThe Drupal Association
Product-facetsFacets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-12083
Matching Score-10
Assigner-Drupal.org
ShareView Details
Matching Score-10
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 7.67%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 23:14
Updated-03 Dec, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.

Action-Not Available
Vendor-salsa.digitalThe Drupal Association
Product-civictheme_design_systemCivicTheme Design System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 385
  • 386
  • Next
Details not found