The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.

There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Coder module 7.x-1.x versions prior to 7.x-1.3.
  • Coder module 7.x-2.x versions prior to 7.x-2.6.

Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.


Two solutions are possible.

A first option is to remove the module from all publicly available websites:

  • The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.

A second option is to install the latest version:

Also see the Coder project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at or via the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at