Skip to content
Detect Microsoft Exchange RCE CVE-2021-28480 with our Network Vulnerability Scanner

Drupal Vulnerability Scan

Detect vulnerabilities in Drupal core, plugins and weak configurations

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our Drupal Vulnerability Scan! Compare pricing plans and discover more tools and features.

Sample Report

Here is a Drupal Vulnerability Scan sample report:

  • Shows known vulnerabilities which affect the identified Drupal version (core and plugins)
  • Includes checks for known Drupal configuration issues
  • Provides detailed risk description and recommendations for improvement

Download Sample Report

Sample report

Drupal Vulnerability Scan - Use Cases

Finds Drupal version, modules, theme, and their vulnerabilities. Checks for common Drupal misconfigurations and weak server settings.

Drupal Penetration Testing

Speed-up your penetration test using this scanner. You don't need to install or configure anything, it is just ready-to-go. Quickly discover Drupal version and its vulnerabilities, Drupal plugins, themes and other specific configuration issues.

Self-Security Assessment

Check if your own installation of Drupal is updated and properly configured. See how your Drupal installation looks from the perspective of an external attacker.

Third-Party Website Audit

If you are a web development company, you can also show this report to your clients and prove that you have implemented the proper security measures in the Drupal website.

Technical Details


This is a custom scanner that implements all the security checks performed by known Drupal scanners such as CMSMap or Droopescan but also adds new security tests on top.

The list of tests performed by the Drupal vulnerability scanner includes:
  • Fingerprint the server software and technology
  • Fingerprint the Drupal installation
  • Find installed Drupal modules
  • Find the current Drupal theme
  • Search for vulnerabilities affecting the current Drupal version
  • Check for directory listing
  • Search for default install files
  • Verify the communication security (HTTPS settings)
  • Attempt user enumeration using Views module
  • Attempt user discovery using Forgot Password
  • Check if the login page is accessible
  • Check if user registration is enabled

The scan is performed remotely, without authentication, in a black-box manner. This simulates an external attacker who tries to penetrate the target website.
However, no harmful actions are performed and all identified problems are presented in the final report.


Parameter Description
Target URL This is the URL of the Drupal website that will be scanned. All URLs must start with http or https.
Don't forget to specify the complete path to the base directory of the Drupal installation (if exists). Ex.

How it works

The scanner performs a series of passive and active checks to identify the Drupal version, modules, themes, and the current system configuration.
Furthermore, the Drupal core vulnerabilities are extracted from a local database which is periodically updated with the latest vulnerabilities which affect Drupal. The vulnerabilities are reported according to the identified Drupal version.

See the Sample report for a detailed output of the scanner.