CVE-2018-7600

UnscoredEPSS 100.0%CISA KEVCWE-20 · Improper Input Validation

Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.

References

NVD MITRE CVE.org CISA KEV

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: Critical (Critical 2)

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Mara OkonkwoCurated
Unauth RCE via Drupal's Form API render arrays. Public exploits within days; mass cryptominer deployment followed. If you ran unpatched Drupal 7/8 in 2018, assume it was hit.
0
Remediation · Diego RamírezCurated
Update Drupal core (7.58 / 8.5.1+). Post-incident, audit for dropped miners/webshells and rotate site secrets.