πŸ” CVE Alert

CVE-2025-31675

MEDIUM 5.4

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

CVSS Score
5.4
EPSS Score
0.3%
EPSS Percentile
51th

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.Β It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.

CWE CWE-79
Vendor drupal
Product drupal core
Ecosystems
Industries
WebMedia
Published Mar 31, 2025
Last Updated Apr 2, 2026
Stay Ahead of the Next One

Get instant alerts for drupal drupal core

Be the first to know when new medium vulnerabilities affecting drupal drupal core are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Drupal / Drupal core
8.0.0 < 10.3.14 10.4.0 < 10.4.5 11.0.0 < 11.0.13 11.1.0 < 11.1.5
Drupal / Link
7.x-1.0 ≀ 7.x-1.12

References

NVD β†— CVE.org β†— EPSS Data β†—
drupal.org: https://www.drupal.org/sa-core-2025-004 herodevs.com: https://www.herodevs.com/vulnerability-directory/cve-2025-31675 d7es.tag1.com: https://d7es.tag1.com/security-advisories/link-moderately-critical-cross-site-scripting-sa-core-2025-004

Credits

Samuel Mortenson (samuel.mortenson) Benji Fisher (benjifisher) Bram Driesen (bramdriesen) Alex Bronstein (effulgentsia) Jen Lampton (jenlampton) Lee Rowlands (larowlan) Dave Long (longwave) Drew Webber (mcdruid) Joseph Zhao (pandaski) Adam G-H (phenaproxima) Samuel Mortenson (samuel.mortenson) Jess (xjm)