Low
CVE-2025-71310
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info conte…
Tag: Backdrop
All CVEs associated with "Backdrop". Page 1/1 • 33 CVEs.
About “Backdrop”
A curated feed of “Backdrop”-related CVEs appears below. We currently track 33 CVEs for this tag (all time). In the last 365 days, 4 were published. Average CVSS is 5.7 (all time; 5.3 over 365d), and 18% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), CWE-352 - Cross-Site Request Forgery (CSRF), CWE-601 - URL Redirection to Untrusted Site ('Open Redirect').
In our taxonomy this topic maps to a LOW impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: backdrop
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 1.34 | 1.34.0 | - | ||
| 1.33 | 1.33.3 | - | ||
| 1.32 | 1.32.3 | Expired | ||
| 1.31 | 1.31.2 | Expired | ||
| 1.30 | 1.30.3 | Expired | ||
| 1.29 | 1.29.5 | Expired | ||
| 1.28 | 1.28.5 | Expired | ||
| 1.27 | 1.27.3 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Backdrop” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-05-26
2026-05-12
High
CVE-2026-45430
The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.
2025-11-18
Medium
CVE-2025-63828
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session h…
2025-06-26
Medium
CVE-2025-44141
A Cross-Site Scripting (XSS) vulnerability exists in the node creation form of Backdrop CMS 1.30.
2025-04-25
Medium
CVE-2025-46595
An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't ve…
2025-03-07
Medium
CVE-2025-27826
An XSS issue was discovered in the Bootstrap Lite theme before 1.x-1.4.5 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.
Medium
CVE-2025-27825
An XSS issue was discovered in the Bootstrap 5 Lite theme before 1.x-1.0.3 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.
Medium
CVE-2025-27824
An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability i…
Medium
CVE-2025-27823
An issue was discovered in the Mail Disguise module before 1.x-1.0.5 for Backdrop CMS. It enables a website to obfuscate email addresses, and should prevent spambots from collecting them. The module…
High
CVE-2025-27822
An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permiss…
2025-02-03
Medium
CVE-2025-25063
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SV…
Medium
CVE-2025-25062
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows…
2024-11-29
Medium
CVE-2024-54123
Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format.
2024-07-22
Medium
CVE-2024-41709
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attack…
2023-04-24
Medium
CVE-2023-31045
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user…
2023-02-21
Medium
CVE-2023-26265
The Borg theme before 1.1.19 for Backdrop CMS does not sufficiently sanitize path arguments that are passed in via a URL. The function borg_preprocess_page in the file template.php does not properly…
2023-01-11
Low
CVE-2012-10004
A vulnerability was found in backdrop-contrib Basic Cart on Drupal. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. Th…
2022-11-23
Medium
CVE-2022-42095
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
2022-11-22
Medium
CVE-2022-42097
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .
Medium
CVE-2022-42094
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
2022-11-21
Medium
CVE-2022-42096
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.
2022-10-07
High
CVE-2022-42092
Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are re…
2022-08-01
Medium
CVE-2022-34530
An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.
2022-02-03
High
CVE-2021-45268
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously a…
2019-12-19
Medium
CVE-2019-19903
An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially cra…
High
CVE-2019-19902
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does n…
Medium
CVE-2019-19901
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An a…
Medium
CVE-2019-19900
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An a…
2019-08-08
Critical
CVE-2019-14771
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded…
Medium
CVE-2019-14770
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the sear…
Medium
CVE-2019-14769
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a spe…
2019-04-20
Medium
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an e…
2018-12-20
Medium
CVE-2018-1000813
Backdrop CMS version 1.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Sanitization of custom class names used on blocks and layouts. that can result in Execution of JavaScrip…