GHSA-v8wr-r69p-mmwx · Severity: critical · Ecosystem: composer — Unrestricted Upload of File with Dangerous Type in Drupal core
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
Conclusion & alert: CVE-2020-13675 is rated Moderate Risk (62.2/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.22%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.80% | 1.22% | +0.42% |
| 2 | 2026-01-15 | 0.51% | 0.80% | +0.29% |
| 3 | 2025-08-23 | — | 0.51% | — |
Full EPSS history (9 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
GHSA-v8wr-r69p-mmwx · Severity: critical · Ecosystem: composer — Unrestricted Upload of File with Dangerous Type in Drupal core
| vendor | priority | summary | link |
|---|---|---|---|
ubuntu
|
low | CVE-2020-13675 low priority: Ubuntu including 1 source packages (drupal7), 3 status rows across 3 suites (trusty, upstream, xenial): not-affected 2, needs-triage 1. | https://ubuntu.com/security/CVE-2020-13675 |
| URL | Tags |
|---|---|
| https://www.drupal.org/sa-core-2021-008 | Mitigation Patch Vendor Advisory |