Unfortunately this question is too generically asked to give a specific answer because this highly depends on the target you are scanning and the vulnerability you are looking for.
But basically GVM can find vulnerabilities in a CMS if they are public known (e.g. via a vendor advisory or a report of a security researcher) and a VT for it exists.
A few additional notes:
-
GVM is not a Web Application Scanner (WAS) so it can’t find unknown vulnerabilities in a web application like Drupal if no such advisory / report exists.
-
Specific to Drupal the VTs have a lower QoD if the target is a Linux System due to Drupal being shipped in various Linux Distributions which are doing security backports without changing the exposed versions. This might require that you need to lower the QoD value within your GVM filters. More about this topic can be found at https://docs.greenbone.net/GSM-Manual/gos-6/en/glossary.html#quality-of-detection-qod
-
The results depends on your used port list as well.