CVE-2025-31675

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-31675
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004
https://www.drupal.org/sa-core-2025-004 Vendor Advisory
https://www.herodevs.com/vulnerability-directory/cve-2025-31675
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
History

02 Apr 2026, 23:17

Type Values Removed Values Added
Summary (en) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. (en) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.
References
  • () https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004 -
  • () https://www.herodevs.com/vulnerability-directory/cve-2025-31675 -

02 Jun 2025, 16:25

Type Values Removed Values Added
CPE cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
References () https://www.drupal.org/sa-core-2025-004 - () https://www.drupal.org/sa-core-2025-004 - Vendor Advisory
First Time Drupal
Drupal drupal

29 Apr 2025, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
Summary
  • (es) Vulnerabilidad de neutralización incorrecta de entrada durante la generación de páginas web ('Cross-site Scripting') en Drupal Drupal core permite Cross-Site Scripting (XSS). Este problema afecta al núcleo de Drupal: desde la versión 8.0.0 hasta la 10.3.14, desde la versión 10.4.0 hasta la 10.4.5, desde la versión 11.0.0 hasta la 11.0.13, desde la versión 11.1.0 hasta la 11.1.5.

31 Mar 2025, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-31 22:15

Updated : 2026-04-02 23:17

NVD link : CVE-2025-31675

Mitre link : CVE-2025-31675

CVE.ORG link : CVE-2025-31675

JSON object : View

Products Affected

drupal

  • drupal
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')