- How many CVEs does Drupal have?
- Drupal has 1,146 published CVE records since 2005, including 302 in the last two years.
- How many Drupal CVEs are in CISA KEV?
- Yes — 8 of Drupal's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.
- Which Drupal products have the most CVEs?
- The Drupal products with the most published CVEs are Drupal, Drupal core, core, AI (Artificial Intelligence), Open Social.
- What are the most common weakness types in Drupal CVEs?
- Drupal's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-863 (Incorrect Authorization), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-862 (Missing Authorization).
- Are there public exploits for Drupal vulnerabilities?
- Yes — 43 of Drupal's CVEs have a known public exploit.
- How many critical Drupal vulnerabilities are there?
- Drupal has 54 critical and 170 high-severity CVEs.
- What is the average severity of Drupal CVEs?
- The average CVSS base score across Drupal's scored CVEs is 5.4.