Back to blog
PHPDrupalCVE

PHP and Drupalgeddon2: why CVE-2018-7600 still matters

Published on 2026-04-116 min readFlorian

A flaw that went far beyond Drupal alone

Drupal official advisory SA-CORE-2018-002 rated CVE-2018-7600 as a highly critical remote code execution vulnerability. Soon after, Drupal also published a public service announcement stating that sites not patched in time should be considered at risk of compromise.

That official response alone shows how serious the issue was.

Why this CVE is still a landmark

Drupalgeddon2 became a landmark because it affected a mature CMS used in demanding environments and highlighted the danger of delayed patching on feature-rich administrative platforms.

This was not just a technical issue. It was also an operational one: how many sites could patch immediately, how many were delayed, and how many were simply forgotten.

What this says about PHP risk

When people criticize PHP, they often focus on the language itself. In practice, many major incidents come from the CMS, plugin, module, and maintenance layer around the language. Drupalgeddon2 fits that pattern perfectly.

A powerful PHP CMS becomes very sensitive when it concentrates content, workflows, privileged accounts, and extensions inside one exposed web surface.

The useful lesson in 2026

For teams still operating rich CMS platforms, the right questions are not only is the core well designed. They are also:

  • can we patch urgently;
  • do we fully understand the active modules;
  • can we investigate compromise after a critical flaw;
  • are forgotten environments still exposed.

    • Our view

    Drupalgeddon2 still matters because it captures a very practical risk: when a critical flaw hits a business-central CMS, the gap between disclosure and exploitation becomes very small.

    In the PHP ecosystem, the first thing to judge is therefore not the language. It is the admin surface, the active modules, and the patch discipline around exposed platforms.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    PHPLaravel

    PHP and Laravel Ignition: why CVE-2021-3129 left such a mark

    CVE-2021-3129 showed how an exposed Laravel debug component could open the door to remote code execution. Here is why this flaw still matters for the PHP ecosystem.

    2026-04-11 · 6 min read
    PHPRoundcube

    PHP and Roundcube: why the 2025-2026 security updates deserve attention

    Roundcube kept shipping security updates in 2025 and 2026. Here is why this PHP ecosystem remains sensitive and what teams should verify now.

    2026-04-11 · 6 min read
    GoKubernetes

    Go and Kubernetes: why CVE-2018-1002105 remains a reference point

    CVE-2018-1002105 affected kube-apiserver and remains one of the most important flaws in the Kubernetes ecosystem. Here is why it still matters.

    2026-04-11 · 7 min read

    Sources

    Written by Florian
    Reviewed on 2026-04-11

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Ongoing Review

    Track new exposure as your stack changes over time.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit