Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
Published: 2025-03-31
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

An improperly neutralized input during web page generation in Drupal core permits cross‑site scripting (XSS). This flaw allows an attacker to inject and execute arbitrary JavaScript in the context of a victim’s browser. Based on the description, the attack vector is inferred to be remote, reliant on the ability to submit content that is rendered without sufficient sanitization.

Affected Systems

The vulnerability affects Drupal core from version 8.0.0 up to 10.3.13, from 10.4.0 up to 10.4.4, from 11.0.0 up to 11.0.12, and from 11.1.0 up to 11.1.4. It also impacts the Drupal 7 Link module versions 7.x-1.0 through 7.x-1.12.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while an EPSS score below 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, the attack vector is inferred to be remote, allowing an attacker who can submit content rendered without sufficient sanitization to inject malicious scripts.

Generated by OpenCVE AI on April 28, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Drupal core to at least 10.3.14, 10.4.5, 11.0.13, or 11.1.5, or later, and upgrade the Drupal 7 Link module to 7.x-1.12 or newer.
  • If upgrading immediately is not feasible, disable the Drupal 7 Link module or restrict its usage to trusted accounts, and apply client‑side sanitization as a temporary measure.
  • Deploy a strict Content Security Policy and validate or encode all user input before rendering it to mitigate potential XSS vectors.

Generated by OpenCVE AI on April 28, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9044 Drupal Core Cross-Site Scripting (XSS) Vulnerability
Github GHSA Github GHSA GHSA-m4wj-hhwj-47qp Drupal Core Cross-Site Scripting (XSS) Vulnerability
History

Thu, 02 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
References

Mon, 02 Jun 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal drupal
CPEs cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Vendors & Products Drupal
Drupal drupal

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 21:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
Title Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Weaknesses CWE-79
References

Subscriptions

Drupal Drupal
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-04-02T22:35:46.920Z

Reserved: 2025-03-31T21:30:04.614Z

Link: CVE-2025-31675

cve-icon Vulnrichment

Updated: 2025-04-29T15:45:06.701Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T22:15:20.003

Modified: 2026-04-02T23:17:04.443

Link: CVE-2025-31675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:15:25Z

Weaknesses