MEIFP – Most Exploited Internet-Facing Products

Drupal

Products: Drupal core · Internationalization (i18n) - i18n_node submodule · Simple Hierarchical Select (shs) · TFA Basic Plugins

40.6

Score

CVEs

Active

PoC

KEV

#87

Rank

Period:

Product:

CVE ID	Published	CVSS	Exploit	KEV	AC	PR	Auto	Score(hover)	Affected Products	Description
CVE-2026-6816	2026-05-28	5.1v4.0	POC	—	Low	High	no	0.0	TFA Basic Plugins	An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
CVE-2026-9082	2026-05-20	6.5v3.1	ACTIVE		Low	None	YES	40.6	Drupal core	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 be
CVE-2026-0748	2026-03-26	5.3v4.0	POC	—	Low	Low	YES	0.0	Internationalization (i18n) - i18n_node submodule	In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls an

Each CVE: 10 pts base (Active only), boosted by:

KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3