CVE-2025-13081
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
| CWE | CWE-915 |
| Vendor | drupal |
| Product | drupal core |
| Ecosystems | |
| Industries | WebMedia |
| Published | Nov 18, 2025 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal core
Be the first to know when new medium vulnerabilities affecting drupal drupal core are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
Drupal / Drupal core
8.0.0 < 10.4.9 10.5.0 < 10.5.6 11.0.0 < 11.1.9 11.2.0 < 11.2.8
Credits
anzuukino Anna Kalata (akalata) catch (catch) Neil Drumm (drumm) Greg Knaddison (greggles) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10) Ra MΓΒ€nd (ram4nd) Jess (xjm) catch (catch) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Juraj Nemec (poker10)