GHSA-f4qx-jqfq-7785 · Severity: critical · Ecosystem: composer — Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.
Conclusion & alert: CVE-2017-6925 is rated High Risk (71.6/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 3.02%). Core evidence: EPSS rose +2.38% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.64% | 3.02% | +2.38% |
| 2 | 2025-11-21 | 3.77% | 0.64% | -3.13% |
| 3 | 2025-11-18 | — | 3.77% | — |
Full EPSS history (15 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.0 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-f4qx-jqfq-7785 · Severity: critical · Ecosystem: composer — Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/100368 | Third Party Advisory VDB Entry |
| http://www.securitytracker.com/id/1039200 | Third Party Advisory VDB Entry |
| https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple | Mitigation Vendor Advisory |