The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Affected Packages

Packagist drupal/core

Affected versions: 10.0.0 (fixed in 10.0.8)

Packagist drupal/core

Affected versions: 9.5.0 (fixed in 9.5.8)

Packagist drupal/core

Affected versions: 9.0.0 (fixed in 9.4.14)

Packagist drupal/core

Affected versions: 7.0.0 (fixed in 7.96)

Related CVEs

CVE-2023-31250

Key Information

GHSA ID

GHSA-8849-cv9f-vccm

Published

April 26, 2023 9:30 PM

Last Modified

April 27, 2023 2:01 PM

CVSS Score

9.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.