A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Affected Packages

Packagist drupal/core

Affected versions: 7.0 (fixed in 7.59)

Packagist drupal/core

Affected versions: 8.0 (fixed in 8.4.8)

Packagist drupal/core

Affected versions: 8.5 (fixed in 8.5.3)

Packagist drupal/drupal

Affected versions: 7.0 (fixed in 7.59)

Packagist drupal/drupal

Affected versions: 8.0 (fixed in 8.4.8)

Packagist drupal/drupal

Affected versions: 8.5 (fixed in 8.5.3)

Related CVEs

CVE-2018-7602

Key Information

GHSA ID

GHSA-297x-j9pm-xjgg

Published

April 23, 2024 10:36 PM

Last Modified

July 5, 2024 5:59 PM

CVSS Score

9.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.