pkg:Bitnami/drupal

All known vulnerabilities

• HIGH8.8CVE-2020-13671⚠ KEVDrupal core Unrestricted Upload of File with Dangerous Type
  >= 7.0.0, < 7.74.0, >= 8.8.0, < 8.8.11, >= 8.9.0, < 8.9.9, >= 9.0.0, < 9.0.8
• HIGH7.5CVE-2020-36193⚠ KEVDirectory Traversal in Archive_Tar
  >= 7.0.0, < 7.78.0, >= 8.9.0, < 8.9.13, >= 9.0.0, < 9.0.11, >= 9.1.0, < 9.1.3
• MEDIUM6.9CVE-2020-11023⚠ KEVPotential XSS vulnerability in jQuery
  >= 7.0.0, < 7.70.0, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.6
• CRITICAL10.0CVE-2025-41240The Bitnami WordPress Helm chart mounts Kubernetes Secrets under a predictable path (/opt/bitnami/wordpress/secrets) that is located within…
  >= 11.1.5-0, < 11.2.2-1
• CRITICAL9.8CVE-2024-55638Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
  >= 7.0.0, < 10.3.9
• CRITICAL9.8CVE-2024-55637Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
  >= 8.0.0, < 10.3.9, >= 11.0.0, < 11.0.8
• CRITICAL9.8CVE-2024-55636Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
  >= 8.0.0, < 10.3.9, >= 11.0.0, < 11.0.8
• CRITICAL9.8CVE-2020-13665Drupal Core Access bypass vulnerability
  >= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1
• CRITICAL9.8CVE-2020-13675Unrestricted Upload of File with Dangerous Type in Drupal core
  >= 8.0.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
• HIGH8.8CVE-2020-13664Drupal Core Arbitrary PHP code execution vulnerability
  >= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1
• HIGH8.8CVE-2020-13663drupal7 - security update
  >= 7.0.0, < 7.72.0, >= 8.8.0, < 8.8.8, >= 8.9.0, < 8.9.1, >= 9.0.0, < 9.0.1
• HIGH8.2CVE-2021-41165HTML comments vulnerability allowing to execute JavaScript code
  >= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9
• HIGH8.2CVE-2021-41164Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML
  >= 8.9.0, < 8.9.20, >= 9.1.0, < 9.1.14, >= 9.2.0, < 9.2.9
• HIGH8.1CVE-2024-55634Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
  >= 8.0.0, < 10.3.9, >= 11.0.0, < 11.0.8
• HIGH8.0CVE-2022-29248Cross-domain cookie leakage in Guzzle
  >= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.14
• HIGH7.8CVE-2020-28948php-pear - security update
  >= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9
• HIGH7.8CVE-2020-28948php-pear - security update
  >= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9
• HIGH7.5CVE-2025-31674Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
  >= 8.0.0, < 10.4.3, >= 11.0.0, < 11.1.3
• HIGH7.5CVE-2024-11941Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
  >= 8.0.0, < 10.2.4
• HIGH7.5CVE-2024-22362Drupal Denial of Service vulnerability
  >= 9.3.6, < 10.2.6
• HIGH7.5CVE-2023-5256Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
  >= 8.7.0, < 9.5.11, >= 10.0.0, < 10.0.11, >= 10.1.0, < 10.1.4
• HIGH7.5CVE-2022-39261Twig may load a template outside a configured directory when using the filesystem loader
  >= 8.0.0, < 9.3.22, >= 9.4.0, < 9.4.7
• HIGH7.5CVE-2022-25275Drupal core Information Disclosure vulnerability
  >= 7.0.0, < 7.91.0, >= 8.0.0, < 9.3.19, >= 9.4.0, < 9.4.3
• HIGH7.5CVE-2022-31042Fix failure to strip Authorization header on HTTP downgrade in Guzzle
  >= 9.2.0, < 9.2.21, >= 9.3.0, < 9.3.16
• HIGH7.5CVE-2022-31042Fix failure to strip Authorization header on HTTP downgrade in Guzzle
  >= 9.2.0, < 9.2.21, >= 9.3.0, < 9.3.16
• HIGH7.5CVE-2022-25273Improper input validation in Drupal core
  >= 8.0.0, < 9.2.18, >= 9.3.0, < 9.3.12
• HIGH7.5CVE-2022-25271drupal7 - security update
  >= 7.0.0, < 7.88.0, >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.6
• HIGH7.5CVE-2020-13677Drupal core access bypass vulnerability
  >= 8.0.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
• HIGH7.5CVE-2020-13670Exposure of Resource to Wrong Sphere in Drupal Core
  >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• HIGH7.2CVE-2022-25277Drupal core arbitrary PHP code execution
  >= 8.0.0, < 9.3.19, >= 9.4.0, < 9.4.3
• MEDIUM6.9CVE-2020-11022Potential XSS vulnerability in jQuery
  >= 7.0.0, < 7.70.0, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.6
• MEDIUM6.6CVE-2026-6366Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
  >= 8.0.0, < 10.5.9, >= 10.6.0, < 10.6.7, >= 11.0.0, < 11.2.11, >= 11.3.0, < 11.3.7
• MEDIUM6.5CVE-2023-31250Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
  >= 7.0.0, < 7.96.0, >= 9.4.0, < 9.4.14, >= 9.5.0, < 9.5.8, >= 10.0.0, < 10.0.8
• MEDIUM6.5CVE-2022-25278Access bypass in Drupal Core
  >= 8.0.0, < 9.3.19, >= 9.4.0, < 9.4.3
• MEDIUM6.5CVE-2022-25270Incorrect authorization in Drupal core
  >= 9.2.0, < 9.2.13, >= 9.3.0, < 9.3.6
• MEDIUM6.5CVE-2021-41183XSS in `*Text` options of the Datepicker widget in jquery-ui
  >= 7.0.0, < 7.86.0, >= 9.2.0, < 9.2.11, >= 9.3.0, < 9.3.3
• MEDIUM6.5CVE-2021-41184XSS in the `of` option of the `.position()` util in jquery-ui
  >= 7.0.0, < 7.86.0, >= 9.2.0, < 9.2.11, >= 9.3.0, < 9.3.3
• MEDIUM6.5CVE-2021-41182XSS in the `altField` option of the Datepicker widget in jquery-ui
  >= 7.0.0, < 7.86.0
• MEDIUM6.5CVE-2020-13676Incorrect Authorization in Drupal core
  >= 8.9.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
• MEDIUM6.5CVE-2020-13674Cross-Site Request Forgery in Drupal core
  >= 8.9.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
• MEDIUM6.1CVE-2026-6367Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003
  >= 11.3.0, < 11.3.7
• MEDIUM6.1CVE-2026-6365Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001
  >= 8.0.0, < 10.5.9, >= 10.6.0, < 10.6.7, >= 11.0.0, < 11.2.11, >= 11.3.0, < 11.3.7
• MEDIUM6.1CVE-2024-55635Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
  >= 7.0.0, < 10.2.4
• MEDIUM6.1CVE-2025-3057Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
  >= 8.0.0, < 10.4.3, >= 11.0.0, < 11.1.3
• MEDIUM6.1CVE-2022-25276Lack of domain validation in Druple core
  >= 9.3.0, < 9.3.19, >= 9.4.0, < 9.4.3
• MEDIUM6.1CVE-2020-13662drupal7 - security update
  >= 7.0.0, < 7.70.1
• MEDIUM6.1CVE-2020-13668Access bypass in Drupal Core 8/9
  >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• MEDIUM6.1CVE-2021-33829ckeditor4 vulnerable to cross-site scripting
  >= 8.9.0, < 8.9.16, >= 9.0.0, < 9.0.14, >= 9.1.0, < 9.1.9
• MEDIUM6.1CVE-2020-9281CKEditor 4.0 vulnerability in the HTML Data Processor
  >= 8.7.0, < 8.7.12, >= 8.8.0, < 8.8.4
• MEDIUM6.1CVE-2020-13672drupal7 - security update
  from 0, < 7.80.0, >= 8.9.0, < 8.9.14, >= 9.0.0, < 9.0.12, >= 9.1.0, < 9.1.7
• MEDIUM6.1CVE-2020-13669Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor
  >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• MEDIUM6.1CVE-2020-13688Drupal Core Cross-site scripting vulnerability
  >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• MEDIUM6.1CVE-2020-13666drupal7 - security update
  >= 7.0.0, < 7.73.0, >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• MEDIUM5.9CVE-2025-13081Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
  >= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8
• MEDIUM5.9CVE-2024-11942Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
  >= 10.0.0, < 10.3.0
• MEDIUM5.4CVE-2025-31675Drupal Core Cross-Site Scripting (XSS) Vulnerability
  >= 8.0.0, < 10.4.5, >= 11.0.0, < 11.1.5
• MEDIUM5.4CVE-2024-12393Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
  >= 8.8.0, < 10.3.9, >= 11.0.0, < 11.0.8
• MEDIUM5.4CVE-2022-25274Access bypass in Drupal core
  >= 9.3.0, < 9.3.12
• MEDIUM5.4CVE-2022-24728Cross-site Scripting in CKEditor4
  >= 8.0.0, < 9.2.15, >= 9.3.0, < 9.3.8
• MEDIUM5.4CVE-2022-24728Cross-site Scripting in CKEditor4
  >= 8.0.0, < 9.2.15, >= 9.3.0, < 9.3.8
• MEDIUM5.3CVE-2025-13080Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
  >= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8
• MEDIUM5.3CVE-2022-24775Improper Input Validation in guzzlehttp/psr7
  >= 8.0.0, < 9.2.16, >= 9.3.0, < 9.3.9
• MEDIUM5.3CVE-2020-13667Drupal Core Access bypass vulnerability
  >= 8.8.0, < 8.8.10, >= 8.9.0, < 8.9.6, >= 9.0.0, < 9.0.6
• MEDIUM4.6CVE-2025-31673Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
  >= 8.0.0, < 10.4.3, >= 11.0.0, < 11.1.3
• MEDIUM4.3CVE-2025-13082Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
  >= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8
• LOW3.7CVE-2025-13083Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
  >= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.8