These posts by the Drupal security team are also sent to the security announcements e-mail list.

SA-CORE-2013-002 - Drupal core - Denial of service

  • Advisory ID: DRUPAL-SA-CORE-2013-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2013-February-20
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of service
Read more

SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2013-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-January-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Read more

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2012-004
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-December-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Arbitrary PHP code execution
Read more

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

  • Advisory ID: DRUPAL-SA-CORE-2012-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure, Arbitrary PHP code execution
Read more

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Read more

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2012-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-February-01
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Read more

SA-CORE-2011-003 - Drupal core - Access bypass

  • Advisory ID: DRUPAL-SA-CORE-2011-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2011-July-27
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Read more

SA-CORE-2011-002 - Drupal core - Access bypass

  • Advisory ID: DRUPAL-SA-CORE-2011-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2011-JUNE-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Read more

SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2011-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2011-May-25
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Scripting
Read more

SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2010-002
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2010-August-11
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Read more
Subscribe with RSS Syndicate content

Security announcements

In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

You can also get rss feeds for core, contrib, or public service announcements or follow @drupalsecurity on Twitter.

Contacting the Security team

In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.

Writing secure code

If you are a Drupal developer, please read the handbook section on Writing secure code.

Security books

There are many useful books about Drupal. Here are two that discuss security:

Advertising helps build a successful ecosystem around Drupal.