CVE-2025-31675
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Drupal | Drupal core | 8.0.0 < 10.3.14 | affected |
| Drupal | Drupal core | 10.4.0 < 10.4.5 | affected |
| Drupal | Drupal core | 11.0.0 < 11.0.13 | affected |
| Drupal | Drupal core | 11.1.0 < 11.1.5 | affected |
| Drupal | Link | 7.x-1.0 <= 7.x-1.12 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.drupal.org/sa-core-2025-004
- https://www.herodevs.com/vulnerability-directory/cve-2025-31675
- https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.